tcl logic in SAML Attribute value field possible?
Hi. We're running BigIP as a SAML IDP. Can I somehow issue tcl logic in a SAML attributes? I'm talking about the Access ›› Federation : SAML Identity Provider : Local IdP Services, editing an object, under SAML Attributes. Based on what's in the memberOf attribute, I need to issue as a value either empty string or "SpecificValue". I am familiar with the %{session.variable} construct, but I don't want to clutter the session with more variables if I can avoid it, as that impacts all sessions using our IDP (30 or so federated services on the same VIP and AP). I tried these two approches: %{ set result {} ; if { [mcget {session.ad.last.attr.memberOf}] contains {| CN=SpecificGroup,OU=Resource groups,OU=Groups,DC=Domain,DC=com |}} { set result {SpecificValue} } ; return $result } expr { set result {} ; if { [mcget {session.ad.last.attr.memberOf}] contains {| CN=SpecificGroup,OU=Resource groups,OU=Groups,DC=Domain,DC=com |}} { set result {SpecificValue} } ; return $result } Expected result: An issued claim with the value "" or "SpecificValue" Actual result: An issued claim with the above code as the value As I mentioned, we've set it up using one VIP that is hosting 30 or so services. We're running 16.1.3.1. They are using the same SSO configuration and there's an iRule triggerd at ACCESS_POLICY_AGENT_EVENT, which does some magic to extract issuer and suchlike, and that helps to make decisions later in the Access Policy. It also populates a few session variables under the session.custom namespace for use in the Access Policy. Additional session variables are being populated in the Access Policy, such as resolved manager and their email address. I have looked briefly at the ASSERT::saml functions, but even if it would be possible to manipulate that way, I wish to keep this set up as stream lined as possible and with as few new "special cases" in an iRule. So while I appreciate pointers along that route as well, I would first of all like to know if there is a way to do it natively in the SAML attribute value field. And if there are any options I have not yet explored here?Is it possible to use the following Irule syntac with TCL in a policy ?
Hello, I've setup some code in an Irule . This concerns a code that will take the URI, within this uri, search for first directory in the path and put it tolower before sending it to the server. set uri [HTTP::uri] set block [lindex [split $uri /] 1] if { $block ne [string tolower $block]} { set block2 [string tolower $block] HTTP::uri [string map [list $block $block2] $uri] #log local0. "Rewrited part of the URI : $block2" #log local0. "URI Send to Back-end application : https://[HTTP::host][HTTP::uri]" } Is it possible to put this code in a TCL within a policy rule ? I need to replace the first directory of the URI (ie: "/APPLICATION/dir1/DIR2/index.html") to lowercase /application/dir1/DIR2/index.html ( the rest of the URI must stay intact, only /Application/ part must be set to lowercase. Thanks in advance. Regards Frédéricstring trim generating strange results
Hi, I have an issue with one of my string manipulations with variables: set test [ACCESS::session data get session.http.last.response_cookie] set test [lindex [split $test "|"] 0] set test [string trim $test "Test="] So, my cookie is built up like this: example: Test=ZTR(abc1234-1);ABC(qwe12314);|version=1;... example: Test=OEZZV(abc1234);ABC(qwe12314);|version=1... In the first example, my $test ends up being correctly shown as "ZTR(abc1234-1);ABC(qwe12314);". In the second one, $test ends up being "ZZV(abc1234);ABC(qwe12314);". So the "OE" is stripped away, although it shouldn't be. I've read about some odd results with trim when using numbers and I assume that this occurs because the OE (letter O, not number 0) represents some kind of value that is handled by the F5 differently. But can anyone tell why and how to mitigate this? Is it possible to handle the variable as a string variable or similar, so that these changes of the values are not done? Thanks in advance!
Advanced Resource Assign Expression Failing
I have a logging agent right before the Advanced Resource Assign with session.custom.* The variable i am testing against is shown. I cannot get the right information to display. I tried ends_with "201" and tried contains "201" but the second one will NOT load and I have no idea why. I do not see those resources on the webtop. Common:bcb3012f: Logging Agent Common:bcb3012f: session.custom.rdp.destination is 172.30.7.119 Common:bcb3012f: session.custom.rdp.domain is WORKGROUP Common:bcb3012f: session.custom.rdp.password is ********** Common:bcb3012f: session.custom.rdp.username is a Common:bcb3012f: session.custom.version is 801-201
BIG-IP : tcl boolean logic for string comparisons
F5 BIG-IP Virtual Edition v11.4.1 (Build 635.0) LTM on ESXi What is correct syntax for boolean operations around string comparisons ? set a "a" set b "b" set result 0 if { { $a eq "a" } && { $b eq "b" } } { set result 1 } This compiles but throws a runtime exception : expected boolean value but got " $a eq "a" " while executing "if { { $a eq "a" } && { $b eq "b" } ...BIG-IP : TCL to match member of set
F5 BIG-IP Virtual Edition v11.4.1 (Build 635.0) LTM on ESXi There must be a better way : if { ( $segments_count == 3 ) || ( $segments_count == 4 ) || ( $segments_count == 5 ) } { if { [expr {$name_first eq "John"}] || [expr {$name_first eq "Greg"}] || [expr {$name_first eq "Brian"}] } { NOTE: I don't want to use class matches ( as these require external data-group-files )BIG-IP irule : determine page-type
F5 BIG-IP Virtual Edition v11.4.1 (Build 635.0) LTM on ESXi Request urls can be in following forms : www.gofish.com www.gofish.com/barracuda www.gofish.com/sharks/blacknose www.gofish.com/species.html www.gofish.com/bait.aspx www.gofish.com/bait.aspx?color=green I need to determine if a request is for a page ( *.html , *.aspx ) vs a resource ( barracuda , /sharks/blacknose ). More specifically, I need to determine if request is for an .aspx page.
APM :: Detecting IE 11
Ok I suck, I know. But why is this wrong? expr { [string tolower [mcget {session.user.agent}]] matches_regex {trident\/7.+rv\:11} } It never matches... even though my UA is: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko I'm using an empty branch rule with this as the 'advanced' script above. Always hits fallback (i.e. doesn't match).
Local Traffic Policy for creating Logging Profile
Hi All, I am working on creating a logging profile for HTTP/S virtual server for which I need help in tcl format for below logging parameters like tcl:[HTTP::host]: Virtual server name BIGIP HOSTNAME DATE and TIME CLIENT PORT POOL NAME SERVER IP SERVER PORT SNAT PORT HTTP STATUS CODE Thanks Ashish Solanki
