Showing results for 
Search instead for 
Did you mean: 



HI, I am currently setup on my APM to use SAML single sign on with Azure as my IDP and F5 APM as my SP. I want to assign resources to authenticated users based on their groups in azure. How do i represent this in the Advanced Resource Assign expression in the Visual Policy Editor?


Please this is quite urgent.


F5 Employee
F5 Employee

An quick answer - find the session variable which contains the groups and add an Empty Box where the first branch uses mcget and expr


eg expr { [ mcget { session.saml.attr.groups } ] contains "Administrator" }


Start with this and move on from there

Hi Pete, thanks for your reply. From the link you posted, i see that this expression was said to be useful in the variable assign block which is in the VPE of the access per request policy. Is it possible to use this same expression the per session policy for the advanced resource assign expression box? Secondly, while using this expression to specify groups, is there any where in the SP, IDP connector settings of the SAML that i have to specify this attirbute value in the expression you posted. I am asking because i have seen a box in the IDP connector settings named identity attribute location and i wouldnt know what is required in that box in the idp connector setting.


Yes, IIRC you can also use this in advanced resource assign - it is a general thing which is available in many of the VPE objects, both per-session and per-request.

Not too sure what you mean about the IdP connector, I suspect that you are talking about using multiple IdPs. For instance, if you have a different landing URI, Host etc then you can send the request to a different IdP. What are you trying to do?

For more examples, take a look at this:

okay. This is what i am trying to do. I integrated my F5 APM with Azure using SAML for authentication and so as to setup SSO. SAML consists of IDP and SP. In my case, Azure is my IDP and F5 APM is my SP. Now you know when configuring the SAML on F5, you setup Local SP service and External IDP connector. Now the essence of my question is that, the SAML generates assertions from the IDP which contains session variables and attributes. Now i want the groupID attribute to be part of the assertion sent to F5 so that the VPE can process it and with my expression for specific azure GroupID, I can assign resources. Do you get this?



I am using APM to present a portal access of published applications to authenticated users. Users that will be authenticated with my existing azure AD service and with the existing MFA. Such that once i am authenticated, i see only the portal applications i am expected to see and not more and i can click on those applications without needing a reauthentication to them because of SSO configuration attached to the setup

Please check out the part of the SAML configuration i am talking about in this picture attached,

i don't believe you have to do that there. it is something done on the IdP, so Azure AD and then the Enterprise Application. afterwards you can check your APM session variables to see what you need.

Thanks for sharing! Solved me a similar issue. Upvoted.