JDL_53476
Jun 03, 2014Nimbostratus
Using an irule to rewrite content in a SAML response
I am using our F5 as a SAML IdP and I have an issue that requires me to alter the SAML response before sending it back to the SP. The SP's system is balking at the usage of a plain & instead of a & in the response but that & is part of the ACS URL and if I change it in the SP configuration then the F5 cannot find a matching connector. This is because when it parses the SAML request with this string in the ACS URL: "awr=1&realm=HHMI-T" it parses it as "awr=1&realm=HHMI-T". The problem is that when it sends the SAML response back it does not properly encode "awr=1&realm=HHMI-T" into a legal XML format "awr=1&realm=HHMI-T" and the SP rejects it as bad XML. So my solution is to apply a blank Stream profile and the following irule:
'
when HTTP_REQUEST {
Disable for client requests
STREAM::disable
}
when HTTP_RESPONSE {
Disable other responses
STREAM::disable
if {[HTTP::header value Content-Type] contains "application/x-www-form-urlencoded"}{
STREAM::expression {@awr=1&realm=HHMI-T@awr=1&realm=HHMI-T@}
Enable Stream for this response
STREAM::enable
}
}
'
My question is that since the SAML response is base64 encoded, do I need to use the b64decode function to read the SAML response before using a replace function with the STREAM::expression command?
Thanks