How do you filter a SAML Attribute

Question

We currently use the memberOf %{session.ad.last.attr.memberOf} attribute.
Is there a way to filter its so we only send a single attribute for CN=ABC Users?
We cannot specify this in the Access Policy because we have different IDP's and SP's using the same Policy.&nbsp;

drpsyche_375519 · Answer

Hello,&nbsp;
I was looking for a documented way to send a subset of user groups in a SAML response. And here's what I found - https://communities.ca.com/thread/241696397view SAML assertions. Perhaps, you could find some helpful ideas here too.&nbsp;

juraj · Answer

Just a quick thought from top of my head - you can write an iRule to extract the data you need, and store it in the session:
when ACCESS_ACL_ALLOWED {

set ad_memberOf [ACCESS::session data get "session.ad.last.attr.memberOf"]

ACCESS::session data set "session.custom.memberOfABC" [string match "*CN=ABC Users*" $ad_memberOf]
}

Then, you can return it in your SAML assertion via %{session.custom.memberOfABC}, which will contain either 0 or 1, depending on whether the user is a member of CN=ABC Users

Forum Discussion

How do you filter a SAML Attribute

2 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

Multiple value seperator in saml Attribute

SAML attributes

Enable SAML Service Provider on F5 Distributed Cloud Application

Add SameSite attribute to APM Cookies

Lightboard Lessons: HTTP Cookie SameSite Attribute