Forum Discussion

Mika_168321's avatar
Mika_168321
Icon for Nimbostratus rankNimbostratus
Jan 28, 2016

SAML AuthContextClassRef. check iRule F5APM as SP

In the SAML messages there is an element AuthContextClassRef. We are trying to add iRule to verify the authentication context of the user from the SAML assertion file returned to F5 The F5 APM stores the returned information in the user session (session.saml.last.authNContextClassRef). The F5 is set as SP, the authentication context returned from IdP is stored in the access policy session.saml./Common/saml_auth_and_resources_act_saml_auth_ag.authNContextClassRef.

 

The iRule would help us to verify whether the user has performed a two factor authentication using DUO or not. Trying to match the string value of session.saml.last.authNContextClassRef = http://example.com/duo

 

Any help with the iRule is appreciated

 

when ACCESS_POLICY_AGENT_EVENT { if { [ACCESS::policy agent_id] eq "get_authcontext" } {set authcontext [ACCESS::session data get "session.saml./Common/saml_auth_and_resources_act_saml_auth_ag.authNContextClassRef"]}

 

if { [$authcontext] eq "http://example.com/duo" }

 

}

 

The above iRule is not working. Any feedback is appreciated.

 

1 Reply

  • Josiah_39459's avatar
    Josiah_39459
    Historic F5 Account
    Maybe a first step is to add logging to the irule: log the sessionvariable, log inside and outside your if statement, etc, to make sure the variables and logic are behaving the way you expect.