Irule to match two APM variables

Question

I need some help with an Irule that should have this logic,

The attribute "samlattr" must match the value "employeeID" if there are a match the VPE should continue. If there are no match, the session should be terminated.

The variable "session.saml.last.attr.name.xyz" originates from a external IDP.

The variable "session.ldap.last.attr.employeeID" are a local AD attribute.

I´ve created this Irule, but it dosen´t seems to be working.

 when ACCESS_POLICY_AGENT_EVENT { 

   set samlattr [ACCESS::session data get "session.saml.last.attr.name.xyz"]
   set employeeID [ACCESS::session data get "session.ldap.last.attr.employeeID"]
  if { [ class match $samlattr eq $employeeID] } {

} else {
       discard
}

}

Any takes?

&nbsp;&nbsp;&nbsp;set samlattr [ACCESS::session data get "session.saml.last.attr.name.xyz"]
&nbsp;&nbsp;&nbsp;set employeeID [ACCESS::session data get "session.ldap.last.attr.employeeID"]
&nbsp;&nbsp;if { [ class match $samlattr eq $employeeID] } {

} else {
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;discard
}

}

Any takes?

youssef1 · Answer

Hi,&nbsp;You don't need an Irule for this need instead using an Irule event.&nbsp;I advise you to use APM (Empty box)&nbsp;1- create an empty box2- Add a branch rules3 create an advanced expression&nbsp;And enjoy.&nbsp;

enes_afsin_al · Answer

Hi Squeak,Can you test this?when ACCESS_POLICY_AGENT_EVENT {
	set samlattr [ACCESS::session data get "session.saml.last.attr.name.xyz"]
	set employeeID [ACCESS::session data get "session.ldap.last.attr.employeeID"]
	
	if { $samlattr ne $employeeID } {
		discard
	}
}

squeak · Answer

Thanks youssef,​I´ll give your solution a try,  :)

squeak · Answer

youssef​I tried your solution and most of it worked but if the variable "session.ldap.last.attr.employeeID" are empty the session continues to the next block. The logic should be, if the variable "session.ldap.last.attr.employeeID" matches "session.saml.last.attr.name.xyz" everything are okay but if they don´t match or the variable are empty the APM should discard the session.​​

Forum Discussion

Irule to match two APM variables

4 Replies

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

irule matching variable in uri

iRule variable

APM variable assign examples

iRule match & processing exit

iRules Style Guide