Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Programatically configure SAML attributes using an iRule

Ty_John
Nimbostratus
Nimbostratus

‎25-Mar-2020 23:47

I have a requirement to send user "roles" based on AD group membership and add these roles as multiple values to a single SAML attribute.

Currently we have all roles in a single string separated by a "|" and put into a session variable which is then applied to a SAML attribute but we need to split the roles out to be applied as multiple values of the same attribute. I need to know if it's possible to manipulate SAML attributes in an iRule. I couldn't find anything in the docs.

Labels:
0 Kudos
4 REPLIES 4

PeteWhite
F5 Employee
F5 Employee

‎26-Mar-2020 06:18

How about using: https://clouddocs.f5.com/api/irules/ACCESS__saml.html

 

I am confused as to what you mean by "multiple values of the same attribute". It seems that you are currently doing that by using an attribute and using a separator

0 Kudos

Ty_John
Nimbostratus
Nimbostratus

‎26-Mar-2020 15:33 - last edited on ‎05-Jun-2023 23:05 by Fog

0691T000008GnJ1QAK.pngI know I can use 'ACCESS::saml assertion' to send a completely custom assertion but I'd like to avoid it if possible.

Have a look at the attached screen shot for what I mean by multiple values. You are able to add multiple values to a single attribute so the resulting assertion will look something like the snippet below. So rather than adding a delimited string to a single value I want to split it out to multiple values but there doesn't seem to be a way to do that programmatically.

I hope that makes sense.

<saml2:AttributeStatement>
	<saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Name="portalRole" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
		<saml2:AttributeValue xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">SM1</saml2:AttributeValue>
		<saml2:AttributeValue xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">SM2</saml2:AttributeValue>
	</saml2:Attribute>
</saml2:AttributeStatement>
0 Kudos

Ty_John
Nimbostratus
Nimbostratus
In response to Ty_John

‎26-Mar-2020 18:27

Never mind. I just realised that separating by "|" actually does produce multiple values. I must have been having some other issue causing it to not work under certain use cases.

0 Kudos

Nolan_Jensen
Cirrostratus
Cirrostratus
In response to Ty_John

‎09-Aug-2022 11:29 - edited ‎09-Aug-2022 11:29

Ty_John,

Can you provide me a screen shot of how you were able to use | to seperate multiple saml attributes?  I have tried to do so many times in the place you have in your screen shot but will not seperate them like it says it should.

Thanks

0 Kudos
Copyright © 2023 Khoros, LLC