cancel
Showing results for 
Search instead for 
Did you mean: 

Using SAML Resource in a different APM Full access policy

nels_t
Nimbostratus
Nimbostratus

I have setup a cloud application on our F5 APM as a SAML SP, and the F5 as our IdP. We use Active Directory for the directory service, and for this particular cloud app the Assertion Subject Type is Email Address. This is working fine for SP-initiated and IdP-initiated connections using the APM access policy (let's call it PolicyA), so I have tried to extend this further bu putting the SAML resource for this policy in our general staff APM portal (PolicyB), and surprisingly that worked. There is one exception however - we need to in some cases manipulate the email address string to remove the apostrophe character from the email address (since the cloud app does not support the character).

 

In PolicyA (the one dedicated to this SAML SP), I have put a variable assign action before the Adv Resource assignment to strip the character out:

session.ad.last.attr.mail = if { [mcget {session.ad.last.attr.mail}] contains "'" }{ set emailadd [mcget {session.ad.last.attr.mail}]; return [string map {{'} {}} $emailadd]; } else { return [mcget {session.ad.last.attr.mail}] }

 

My issues is, when I use the SAML Resource in PolicyB, the code to strip out the apostrophe never runs. Is there a way to ensure for a SAML SP that the code to strip out the apostrophe runs, without affecting other resources presented on the APM portal? I figure I could add the same variable assign action from PolicyA to PolicyB but that will cause the email string modification to be in effect for all applications that are launched from PolicyB (if I understand this correctly).

 

Any help would be appreciated

0 REPLIES 0