Programatically configure SAML attributes using an iRule

Question

I have a requirement to send user "roles" based on AD group membership and add these roles as multiple values to a single SAML attribute.

Currently we have all roles in a single string separated by a "|" and put into a session variable which is then applied to a SAML attribute but we need to split the roles out to be applied as multiple values of the same attribute. I need to know if it's possible to manipulate SAML attributes in an iRule. I couldn't find anything in the docs.

petewhite · Answer

How about using: https://clouddocs.f5.com/api/irules/ACCESS__saml.html

I am confused as to what you mean by "multiple values of the same attribute". It seems that you are currently doing that by using an attribute and using a separator

ty_john · Answer

I know I can use 'ACCESS::saml assertion' to send a completely custom assertion but I'd like to avoid it if possible.Have a look at the attached screen shot for what I mean by multiple values. You are able to add multiple values to a single attribute so the resulting assertion will look something like the snippet below. So rather than adding a delimited string to a single value I want to split it out to multiple values but there doesn't seem to be a way to do that programmatically.I hope that makes sense.&lt;saml2:AttributeStatement&gt;
	&lt;saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Name="portalRole" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"&gt;
		&lt;saml2:AttributeValue xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"&gt;SM1&lt;/saml2:AttributeValue&gt;
		&lt;saml2:AttributeValue xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"&gt;SM2&lt;/saml2:AttributeValue&gt;
	&lt;/saml2:Attribute&gt;
&lt;/saml2:AttributeStatement&gt;

ty_john · Answer

Never mind. I just realised that separating by "|" actually does produce multiple values. I must have been having some other issue causing it to not work under certain use cases.

nolan_jensen · Answer

Ty_John,Can you provide me a screen shot of how you were able to use | to seperate multiple saml attributes?&nbsp; I have tried to do so many times in the place you have in your screen shot but will not seperate them like it says it should.Thanks

Forum Discussion

Programatically configure SAML attributes using an iRule

4 Replies

Recent Discussions

Import PKCS 12 SSL to Device Certificate via API/Script or CLI on BIG-IP

Help with URL Masking

F5 iRule to replace host to path

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries R2600 Tenant sizing

Related Content

Add SameSite attribute to APM Cookies

Lightboard Lessons: HTTP Cookie SameSite Attribute

Set the SameSite Attribute for LTM Persistence Cookies

BIG-IP BGP Routing Protocol Configuration And Use Cases

Changing samesite attribute on ASM TS Cookie