cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Programatically configure SAML attributes using an iRule

Ty_John
Nimbostratus
Nimbostratus

I have a requirement to send user "roles" based on AD group membership and add these roles as multiple values to a single SAML attribute.

Currently we have all roles in a single string separated by a "|" and put into a session variable which is then applied to a SAML attribute but we need to split the roles out to be applied as multiple values of the same attribute. I need to know if it's possible to manipulate SAML attributes in an iRule. I couldn't find anything in the docs.

3 REPLIES 3

PeteWhite
F5 Employee
F5 Employee

How about using: https://clouddocs.f5.com/api/irules/ACCESS__saml.html

 

I am confused as to what you mean by "multiple values of the same attribute". It seems that you are currently doing that by using an attribute and using a separator

Ty_John
Nimbostratus
Nimbostratus

0691T000008GnJ1QAK.pngI know I can use 'ACCESS::saml assertion' to send a completely custom assertion but I'd like to avoid it if possible.

Have a look at the attached screen shot for what I mean by multiple values. You are able to add multiple values to a single attribute so the resulting assertion will look something like the snippet below. So rather than adding a delimited string to a single value I want to split it out to multiple values but there doesn't seem to be a way to do that programmatically.

I hope that makes sense.

 

<saml2:AttributeStatement> <saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Name="portalRole" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">SM1</saml2:AttributeValue> <saml2:AttributeValue xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">SM2</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement>

 

 

Never mind. I just realised that separating by "|" actually does produce multiple values. I must have been having some other issue causing it to not work under certain use cases.