Forum Discussion

BenJ's avatar
BenJ
Icon for Nimbostratus rankNimbostratus
Jan 19, 2017

SAML Attributes Being Stripped with IdP Chaining

Hi all,

 

https://devcentral.f5.com/articles/apm-cookbook-saml-idp-chaining

 

Using the above article and a bunch of trial and error, I've successfully created an IdP chain. However, I'm having a small problem with it. The assertions I receive from the partner IdP have a list of SAML attributes included that are needed/useful to the end application, but in the process of consuming/producing a new assertion for the end application, these attributes are being stripped out by the F5.

 

The attributes are correctly formatted (I believe):

 

 

ID-HERE

 

 

HUMANNAMEHERE

 

 

 

GROUP1

 

GROUP2

 

GROUP3

 

 

 

In a Variable Assign agent I also add another attribute called "organisation". I can see that the F5 receives them by running a Session Variables report against the APM session. All the attributes, including my additional one, are in the "session.saml.last.attr." list. But the app developers have sent me the assertion that they receive from the F5 and the above attributes are all missing. The "Subject" (ie. principal) is there and the status of "Success" as well, but not the extra attributes.

 

I haven't configured any attributes on my IdP (ie. the second IdP in the chain, that passes the final assertion to the app), because when I was testing, these configured attributes would overwrite the ones passed by the first IdP. Is it possible that I should just create these attributes on my IdP and leave them blank/valueless? Will that then allow the F5 to populate those attributes with the values from the original assertion (assuming same attribute name)? I had assumed that the F5 would take all the information from the original assertion and just re-sign/encrypt it for consumption by the internal app.

 

I'm not an app guy, so this isn't familiar territory for me. Been working with F5s for a while, but first foray into SAML/APM.

 

Any help appreciated!

 

Ben.

 

2 Replies

  • BenJ's avatar
    BenJ
    Icon for Nimbostratus rankNimbostratus

    Update:

     

    Adding the attributes to the internal IdP with no pre-configured value doesn't work. Just sends them to the app with no values.

     

  • BenJ's avatar
    BenJ
    Icon for Nimbostratus rankNimbostratus

    Solved the problem:

     

    Added the attributes to the internal IdP, as mentioned above, and then added APM variables as the attribute values.

     

    eg. Attribute name=displayName, Value=%{session.saml.last.attr.name.displayName}

     

    Worked a charm.