ACCESS_SAML_ASSERTION

Description

This event is triggered when the SAML assertion payload is generated and before it is signed for a user session by BIG-IP as identity provider. Admin can use this event to view and make modifications to the generated SAML assertion payload. Admin can use ACCESS::saml assertion command to extract and modify SAML assertion.

Examples

when ACCESS_SAML_ASSERTION {
        # Variable assertion is set to the SAML assertion payload generated.
        set assertion [ ACCESS::saml assertion ]
        # The value set in variable assertion is logged.
        log -noname accesscontrol.local1.notice "Assertion before modification: $assertion"
        # The AuthnContextClassRef in assertion is modified from 'unspecified' to 'PasswordProtectedTransport' and set in variable new_assertion.
        set new_assertion [ string map {"urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified" "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"} $assertion ]
        # Variable new_assertion is set as the SAML assertion to be processed and forwarded.
        ACCESS::saml assertion $new_assertion
        # The value set in variable new_assertion is logged.
        log -noname accesscontrol.local1.notice "Assertion after modification: $new_assertion"
}