Forum Discussion

gpracer69's avatar
gpracer69
Icon for Nimbostratus rankNimbostratus
Jun 14, 2017

How can I assign the groups from the Saml assertion to a variable?

I'm going to start off by saying that I'm very new to F5 and APM administration.

 

I have created a new webtop for use by a seperate group. This access profile uses SAML authentication that hits our corporate ADFS. Here is what my Access Policy looks like right now:

 

 

The Variable Assign looks like this:

 

 

The last one on the list is the one the I know I don't have correct. As part of the SAML assertion that is coming back from the IdP is the list of groups the user is a member of in AD. It comes back in the assertion as :

 

  • modules/Authentication/Saml/SamlSPAgent.cpp: 'parseAssertion()': 3979: AttributeName: http://schemas.xmlsoap.org/claims/Group
  • modules/Authentication/Saml/SamlSPAgent.cpp: 'parseAssertion()': 3990: ATTR_NAME: (39) http://schemas.xmlsoap.org/claims/Group
  • modules/Authentication/Saml/SamlSPAgent.cpp: 'parseAssertion()': 4039: AttributeValue: Group1
  • modules/Authentication/Saml/SamlSPAgent.cpp: 'parseAssertion()': 4039: AttributeValue: Group2 etc...

I want to either take the group in and turn it into the variable session.blah.blah.memberOf so that I can consume it as an AD group in my Group Membership box so that it can pass the user to the correct Advanced Resource Assign box so the users sees the correct webtop link.

 

I am very novice at this so if you could please be as detailed as possible, I would really appreciate it.

 

2 Replies

  • I'm not sure I made this clear, but I'm trying to get the AD groups from the Saml assertion to be assigned to the variable of session.ad.last.attr.memberOf so that resource assignments can be made based on the User is a member of expression.

     

    I'm not sure if there is a better or more efficient way to do this. I just need this to work.