ACCESS_SAML_SLO_RESP¶
Description¶
This event is triggered when the SAML single logout response payload
is generated and before it is signed for a user session by BIG-IP as
service provider or identity provider. Admin can use this event to
view and make modifications to the generated SAML single logout
response payload. Admin can use ACCESS::saml slo_resp command to
extract and modify SAML single logout response.
Examples¶
when ACCESS_SAML_SLO_RESP {
# Variable slo_response is set to the SAML single logout response payload generated.
set slo_response [ ACCESS::saml slo_resp ]
# The value set in variable slo_response is logged.
log -noname accesscontrol.local1.notice "SLO Response before modification: $slo_response"
# The variable slo_response is copied to variable new_slo_response.
set new_slo_response $slo_response
# regsub is used to insert 'StatusMessage' element within 'Status' element in new_slo_response.
regsub -all {</saml2p:Status>} $new_slo_response " <saml2p:StatusMessage>logout is successful</saml2p:StatusMessage></saml2p:Status>" new_slo_response
# Variable new_slo_response is set as the SAML single logout response to be processed and forwarded.
ACCESS::saml slo_resp $new_slo_response
# The value set in variable new_slo_response is logged.
log -noname accesscontrol.local1.notice "SLO Response after modification: $new_slo_response"
}