ACCESS_SAML_SLO_REQ

Description

This event is triggered when the SAML single logout request payload is generated and before it is signed for a user session by BIG-IP as service provider or identity provider. Admin can use this event to view and make modifications to the generated SAML single logout request payload. Admin can use ACCESS::saml slo_req command to extract and modify SAML single logout request.

Examples

when ACCESS_SAML_SLO_REQ {
        # Variable slo_request is set to the SAML single logout request payload generated.
        set slo_request [ ACCESS::saml slo_req ]
        # The value set in variable slo_request is logged.
        log -noname accesscontrol.local1.notice "SLO Request before modification: $slo_request"
        # The variable slo_request is copied to variable new_slo_request.
        set new_slo_request $slo_request
        # regsub is used to insert attribute 'Reason' before 'Version' attribute in new_slo_request.
        regsub -all {Version="2.0"} $new_slo_request "Reason=\"urn:oasis:names:tc:SAML:2.0:logout:user\" Version=\"2.0\"" new_slo_request
        # Variable new_slo_request is set as the SAML single logout request to be processed and forwarded.
        ACCESS::saml slo_req $new_slo_request
        # The value set in variable new_slo_request is logged.
        log -noname accesscontrol.local1.notice "SLO Request after modification: $new_slo_request"
}