ACCESS_SAML_ASSERTION¶
Description¶
This event is triggered when the SAML assertion payload is generated
and before it is signed for a user session by BIG-IP as identity
provider. Admin can use this event to view and make modifications to
the generated SAML assertion payload. Admin can use ACCESS::saml
assertion command to extract and modify SAML assertion.
Examples¶
when ACCESS_SAML_ASSERTION {
# Variable assertion is set to the SAML assertion payload generated.
set assertion [ ACCESS::saml assertion ]
# The value set in variable assertion is logged.
log -noname accesscontrol.local1.notice "Assertion before modification: $assertion"
# The AuthnContextClassRef in assertion is modified from 'unspecified' to 'PasswordProtectedTransport' and set in variable new_assertion.
set new_assertion [ string map {"urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified" "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"} $assertion ]
# Variable new_assertion is set as the SAML assertion to be processed and forwarded.
ACCESS::saml assertion $new_assertion
# The value set in variable new_assertion is logged.
log -noname accesscontrol.local1.notice "Assertion after modification: $new_assertion"
}