Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

iRule to assign user id in SAML Assertion message to http header

Need help to assign user id in SAML Assertion message to http header so that Non-SAML application can be supported.

Deployment Scenario:- * BIG-IP as SAML SP and external IdP * PeopleSoft application - SAML not supported * Used the following iRules to map user id in SAML Assertion to http header but no value in the variable

when ACCESS_POLICY_COMPLETED { log local0. "ACCESS POLICY COMPLETED" set pplsftUser [ACCESS::session data get "session.saml.last.attr.name.nameid"] log local0. "PeopleSoft User $pplsftUser" HTTP::header insert "X-P" $pplsftUser log local0. "Header Inserted $pplsftUser" }

Need to know how to get user-id on ACCESS::session code?

Thanks and Best regards Teddy

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

In access log menu, search the APM session variable which contains the expected value.

Then change the code with ACCESS_ACL_ALLOWED event!

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Teddy,

you may take a look to the iRule below...

when ACCESS_ACL_ALLOWED {
    # Removing any ocourence of user provided X-P headers (for security reasons)
    HTTP::header remove "X-P" 
    # Injecting the SAML nameid value as new X-P header (for SSO purposes)
    HTTP::header insert "X-P" [ACCESS::session data get "session.saml.last.attr.name.nameid"]
    # log local0.debug "Debug: Insert HTTP-Header X-P=[ACCESS::session data get "session.saml.last.attr.name.nameid"]"
}

The iRule removes at first any user provided X-P HTTP-header instance (for security purposes) and then copies the value of the APM variable "session.saml.last.attr.name.nameid" into a new "X-P" HTTP-header.

Cheers, Kai

0
Comments on this Answer
Comment made 01-Feb-2018 by Teddy A 1

Not able to get the nameid in HTTP header or even on SAML ACCESS::session data. However i do have SAML Response from the iDP to the client as follows as per Client SAML Tracer:-

<saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">test</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

Thanks

0
Comment made 01-Feb-2018 by Kai Wilke 6942

Some basic questions to help you further...

  1. You do SAML auth with APM, right?
  2. You got "session.saml.last.attr.*" APM session information once a user is loged in via SAML?
  3. What is the exact name of the APM session attribute (e.g. "session.saml.last.attr.attribute_name") you're looking for and want to inject into the HTTP headers?

Cheers, Kai

0
Comment made 02-Feb-2018 by Teddy A 1

Thanks Kai,

  1. Correct, I do SAML auth with APM as SP and with external iDP
  2. How do i check possible saml attr sent by iDP?
  3. Not sure which APM session attribute gives me employee id. However the IDP is configured to send employeeID and accountname as follows:-
    <saml2:AttributeStatement>
    <saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/employeeID"
                     NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                     >
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                              xsi:type="xs:string"
                              >3801</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/samaccountname"
                     NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                     >
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                              xsi:type="xs:string"
                              >test</saml2:AttributeValue>
    </saml2:Attribute>
</saml2:AttributeStatement>

One more issue, i don't get the above SAML attributes in the client browser SAML tracer. My understanding was those attributes should be sent by IDP to the client and the client will send that to F5/SP. Is that correct? If that is the case why i am not seeing the attr in the client tracer OR Is the IDP send the attributes directly to the SP?

0