SAML AuthContextClassRef. check iRule F5APM as SP
In the SAML messages there is an element AuthContextClassRef. We are trying to add iRule to verify the authentication context of the user from the SAML assertion file returned to F5 The F5 APM stores the returned information in the user session (session.saml.last.authNContextClassRef). The F5 is set as SP, the authentication context returned from IdP is stored in the access policy session.saml./Common/saml_auth_and_resources_act_saml_auth_ag.authNContextClassRef.
The iRule would help us to verify whether the user has performed a two factor authentication using DUO or not. Trying to match the string value of session.saml.last.authNContextClassRef = http://example.com/duo
Any help with the iRule is appreciated
when ACCESS_POLICY_AGENT_EVENT { if { [ACCESS::policy agent_id] eq "get_authcontext" } {set authcontext [ACCESS::session data get "session.saml./Common/saml_auth_and_resources_act_saml_auth_ag.authNContextClassRef"]}
if { [$authcontext] eq "http://example.com/duo" }
}
The above iRule is not working. Any feedback is appreciated.