APM Cookbook: Dynamic APM Variables
Introduction In this article we’ll discuss how to set a variable dynamically. The most common use case is setting something like a role attribute to use in SAML. We’ll use the example of setting a SAML attribute name “role” based on group membership. You need to set the value of “role” to either “managers”, “finance”, or “users”, depending on group membership. The trick is you can only send one value even if the user is a member of multiple groups. You have hierarchical preference first to “managers”, then “finance”, and everyone else gets the role “users”. You could do this in an iRule or in a TCL expression in the Variable Assign object. However, I like to leverage the Visual Policy Editor GUI wherever possible so that I can quickly examine a policy flow and determine what’s happening without reading code, and most importantly, so that those who come after me don’t have to decipher what I was doing. Macros Are Your Friend We’ll assume you’ve already got a policy with a logon page, AD Auth, AD Query, and resource assignment for the SAML resource. We will create a macro named “Role Variable Setting” to perform this action after the AD Query. It goes after the AD Query because first we need to collect the group information. Here’s what the policy will look like with the piece we’re adding. We want to create our flow in a macro because otherwise it could clutter up the policy itself, imagine twenty differetn conditions and all the branches you'd have. The macro can have all those branches exit to one place mkaing it all much cleaner and simpler to maintain. To create the macro you click “Add New Macro” inside the Visual Policy Editor (VPE). You should use the “empty template” and name it something relevant to you, I’ve obviously named mine “Role Variable Setting”. After building it out, here’s what my macro looks like when completed. Setting the Conditions We will start by building this section of the macro: First I added an “empty” object from the general purpose tab. I named it “Empty (Group Check)”. Go to the branch rules tab and add rules as appropriate. Below is my complete macro. Notice the arrows on the right hand side of the branch rules list, you can reorder for preference with most preferred at the top. Remember how we said preference went to the managers role, then finance, and finally everyone else (fallback). Your branch rules could be based on conditions like geolocation, landing URI, and many more. You can also go to the Advanced tab and modify the TCL expression to meet your needs if the simple GUI builder doesn’t meet them. The branch rule will be used if it resolves to “true”, and you can create complex logical statements with AND/OR even using the GUI. To build those branch rules I went into the Empty object and selected the Branch Rules tab. Then Add Branch Rule, selected the Simple tab, Add Expression, then AD Query, then User is a Member Of and entered the full DN path as you can see here, then Add Expression and Finished. This uses the data from our AD Query earlier in the policy flow. Setting the Variable Now we have three branches out of the Empty object and need to do something on them. We'll be building this section of the macro now: On each branch I added a Variable Assign from the Assignment tab to set my custom variable. Here’s what it looks like inside the Variable Assign objects. I got that by clicking Add New Entry and then inputting the values as you can see below. Now that I have my macro complete all I need to do is add it from the Macros tab into the policy after the AD Query. Using the Variable Now to use that dynamically set variable I simply need to call %{session.custom.role} within APM, or if I need it in an iRule I can use [ACCESS::session data get session.custom.role], or if I need it in an TCL expression such as a branch rule I can use [mcget {session.custom.role}]. Here is an example where I’m using it as the value for a SAML attribute named “role”. p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; min-height: 14.0px}
APM VPE - Different branch rules depending on different IP Subnet Match via classmatch data group?
Hi there, we are trying to allow a specific Feature or progress only, when internal and specific other Source IP addresses which hit the VIP are in the list of "IP Subnet Match". As these are getting more and more and I would also like to include Comments, I need to use a data group instead. How can I say now in a Branch Rule, that it should do an Source IP address match this data group IP addresses instead of this "subnet match"? There might be some obvious ways to do that, but currently I have no idea. Maybe also an advanced expression in the branch rule using something like " if { [class match [IP::addr [IP::client_addr] equals source-ips] } { do something } Any ideas for this issue? Thanks in advance for your feedback! Best regards, FelixIs there a list of ALL possible APM session variables available?
Hi guys, I am wondering, is there a list of all possible APM session variables available somewhere? I realized that dumping session.* through VPE Logging box does not actually show all session variables, although one would expect that. Or, for example, dumping session.user.* does not display session.user.ipgeolocation.country_code in APM log file. It does so only when I explicitly define this variable in the VPE Logging box. There are few lists on the AskF5 website, but none of them looks to be complete, many variables I know of are missing in those lists. I am about to create some customized reporting based on session variables and I would like to know all variables I can work with. If you have any idea, please let me know. Thanks a lot!APM VPE skip next item
I'm trying to configure an item to check client OS, if it is windows, linux, MacOS, then check AV if not continue normal to logon page how can I connect the 'Others' action as bellow to 'logon page' item? if I swap it then 'antivirus' successful action will be lost is there a solution for such an issue like this?Session Variable names with special characters
Hi I am trying to access a session variable in the Policy Editor and display it in a message box but that variable name has special characters and it keeps showing the variable name instead of the value I am using the following which displays normally: session.user.sessionid = %{session.user.sessionid} session.saml.last.identity = %{session.saml.last.identity} The one that has a problem is: dataofbirth = %{session.saml.last.attr.name.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth} I tried to escape the dots in schemas.xmlsoap.org using \ but it doesn't work I also tried to escape the slashes and the colon and it doesn't work http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/dateofbirth Any ideas? Or maybe guidance on how to access saml session variables that hold the attributes values in general would be appreciated. Thanks a lot.LTM+APM SSO only for designated Subnets
Hi, we have a Problem we have configured a virtual server with an access policy and NTLM-SSO. We use the authentication only for users of pubic subnets. If a user comes out of a private subnet we do not present a logon page so that the user get passed through and the browser takes the credentials out of the browser for SSO on the site (Sharepoint in my case) This works but for users where i don't have a logon-page and a SSO mapping i get the error message in the APM log "Could not find SSO username, check SSO credential mapping agent setting". Also depending on the client there are opened up to 30! apm sessions per client So my question: How can i supress this message and get only one session per client? Thanks for your answers Martin
Use APM variable in redirect ending for VPE
Trying to clean up my VPE, would like to create a handful of macros and have minimal endings: allow, deny, redirect, etc. Is it possible for me to use a variable on a Redirect ending in the redirect URL box? Does it take TCL at all? I was hoping to just use a redirect to https://{[mcget {session.server.network.name}]} or something. Maybe tack on a URI variable also. Worst case scenario, I could use an iRule on ACCESS_ACL_DENIED if I'm not able to do this in VPE, correct? Any other events I should consider? Also, are there any limits on Macro calls in a VPE? Nested Macro calls? Not trying to do any loops or anything. Thank you.LTM+APM SSO only for designated Subnets
Hi, we have a Problem we have configured a virtual server with an access policy and NTLM-SSO. We use the authentication only for users of pubic subnets. If a user comes out of a private subnet we do not present a logon page so that the user get passed through and the browser takes the credentials out of the browser for SSO on the site (Sharepoint in my case) This works but for users where i don't have a logon-page and a SSO mapping i get the error message in the APM log "Could not find SSO username, check SSO credential mapping agent setting". Also depending on the client there are opened up to 30! apm sessions per client So my question: How can i supress this message and get only one session per client? Thanks for your answers Martin
