Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

How do you filter a SAML Attribute

We currently use the memberOf %{session.ad.last.attr.memberOf} attribute. Is there a way to filter its so we only send a single attribute for CN=ABC Users? We cannot specify this in the Access Policy because we have different IDP's and SP's using the same Policy.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hello,

I was looking for a documented way to send a subset of user groups in a SAML response. And here's what I found - https://communities.ca.com/thread/241696397view SAML assertions. Perhaps, you could find some helpful ideas here too.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Just a quick thought from top of my head - you can write an iRule to extract the data you need, and store it in the session:

when ACCESS_ACL_ALLOWED {

  set ad_memberOf [ACCESS::session data get "session.ad.last.attr.memberOf"]

  ACCESS::session data set "session.custom.memberOfABC" [string match "*CN=ABC Users*" $ad_memberOf]
}

Then, you can return it in your SAML assertion via %{session.custom.memberOfABC}, which will contain either 0 or 1, depending on whether the user is a member of CN=ABC Users

0