Update SAML attributes

APM only evaluate the policy once so the second time you access the IDP it will respond back with session variables as they were at the authentication time. I don't really understand your use case here but may a per request access policy with the help of an irule may help to do what you want.

https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-implementations-12-1-0/8.html

I did look at the per-request policy, but there is no option to update the saml assertion.

The value I want to refresh is a custom token with a lifetime that we added as a saml attribute. So when the user access the second SP, I want to provide him with a new token value in the saml attribute, not the one that was provided with the first SP.

Are you talking about step-up authentication for SAML?

 

My idea is to modify a session variable during the per request policy evauation using and irule through an irule agent. In your SAML configuration then map that session variable to your SAML attribute.

I can already update the session variable via an iRule, that's no the problem.

The thing is that the saml attribute is somehow fixed the first time it is set (even if it's configured to use the session variable).

Here is an extract of my irule:

when HTTP_REQUEST {
    if { [HTTP::uri] starts_with "/saml/idp/profile/redirectorpost/sso" }{
        if { [HTTP::cookie exists MRHSession] and [ACCESS::session exists -state_allow [HTTP::cookie value MRHSession]] } {
            set oauthResp [call oauthCall]
            ACCESS::session data set session.oauth.access_token [call key2value $oauthResp access_token]
        }
    }
}

But the F5 is using the same attribute values it got the first time, the variable update is no taken into account