AD attributes in SAML assertion
Configured BIG-IP as an IDP and registered SAML Application as SP. Added an AD Authentication and everything works as expected. But now would like to pass few user attributes in the SAML assertion , such as emailaddress of the user. I understand that just adding the attributes in the local IDP would not help. also i tried to change the Access Profile Could someone list the steps in detail to fetch the attributes from Active Directory and pass the same in SAML assertion.?
Sending specific active directory groups as SAML attributes
This is a two part question. We are building out SSO with a new Service Provider (SP). The SP is looking for specific Active Directory group(s) that they will use to determine the user's role. The attribute we are passing is named "RoleName" and the value is %{session.ldap.last.attr.memberOf}. Is there a way we can send just the groups they need instead of sending all groups the user is a member of? How can everything after the first CN be stripped off? For example, if member of returns CN=abc group,CN=Users,DC=company,DC=com and you want to return just "abc group". We are running F5 Big-IP LTM and APM version 12.1.2.
SAML IdP logon page to pass email address to SP
I created a logon page which uses username and password to authenticate the user with AD but the SP is requesting the users email address in the SAML assertion. If I set the IdP service Assertion Subject Value to %{session.logon.last.logonname} I can see that attribute when running the FireFox SAML Tracer. If I change the Subject vlaue to %{session.ad.last.attr.mail} I do not see the email address in the SAML Assertion. Do I need to add an AD Query or Variable Assignment in the VPE to get the email address and how do i get that into the assertion? An additional question if anyone cares to chime in, what do I set as the Assertion Subject Type? When would you select Entity Identifier, Transient Identifier, or Email Address? I tried all of the fore mentioned but it didn't get me the correct results.SAML SSO send specific AD Group in Assertion
We are using F5 APM as IdP and are trying to send AD Groups in our SAML assertion to the SP using the attribute session.ldap.last.attr.memberof. Some of our AD groups have special character, causing the assertion to fail as documented in https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15157.html. We don't need to send all the AD Groups to the SP, only the groups that would be related to the application we are logging into. We are trying to configure a custom variable in the APM to select specific groups. Is this possible? Could we configure a custom expression like { set memberof [mcget {session.ldap.last.attr.memberof}] contains "appname" }?
