Forum Discussion

Oreoluwa's avatar
Oreoluwa
Icon for Altocumulus rankAltocumulus
Nov 09, 2020

SAML SESSION VARIABLE AND ATTRIBUTES

HI, I am currently setup on my APM to use SAML single sign on with Azure as my IDP and F5 APM as my SP. I want to assign resources to authenticated users based on their groups in azure. How do i represent this in the Advanced Resource Assign expression in the Visual Policy Editor?

 

Please this is quite urgent.

9 Replies

  • An quick answer - find the session variable which contains the groups and add an Empty Box where the first branch uses mcget and expr

     

    eg expr { [ mcget { session.saml.attr.groups } ] contains "Administrator" }

     

    https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-visual-policy-editor-13-0-0/8.html

     

    Start with this and move on from there

    • Oreoluwa's avatar
      Oreoluwa
      Icon for Altocumulus rankAltocumulus

      Hi Pete, thanks for your reply. From the link you posted, i see that this expression was said to be useful in the variable assign block which is in the VPE of the access per request policy. Is it possible to use this same expression the per session policy for the advanced resource assign expression box? Secondly, while using this expression to specify groups, is there any where in the SP, IDP connector settings of the SAML that i have to specify this attirbute value in the expression you posted. I am asking because i have seen a box in the IDP connector settings named identity attribute location and i wouldnt know what is required in that box in the idp connector setting.

       

      • PeteWhite's avatar
        PeteWhite
        Icon for Employee rankEmployee

        Yes, IIRC you can also use this in advanced resource assign - it is a general thing which is available in many of the VPE objects, both per-session and per-request.

        Not too sure what you mean about the IdP connector, I suspect that you are talking about using multiple IdPs. For instance, if you have a different landing URI, Host etc then you can send the request to a different IdP. What are you trying to do?

    • CA_Valli's avatar
      CA_Valli
      Icon for MVP rankMVP

      Thanks for sharing! Solved me a similar issue. Upvoted.