ACCESS_SAML_SLO_RESP

Description

This event is triggered when the SAML single logout response payload is generated and before it is signed for a user session by BIG-IP as service provider or identity provider. Admin can use this event to view and make modifications to the generated SAML single logout response payload. Admin can use ACCESS::saml slo_resp command to extract and modify SAML single logout response.

Examples

when ACCESS_SAML_SLO_RESP {
        # Variable slo_response is set to the SAML single logout response payload generated.
        set slo_response [ ACCESS::saml slo_resp ]
        # The value set in variable slo_response is logged.
        log -noname accesscontrol.local1.notice "SLO Response before modification: $slo_response"
        # The variable slo_response is copied to variable new_slo_response.
        set new_slo_response $slo_response
        # regsub is used to insert 'StatusMessage' element within 'Status' element in new_slo_response.
        regsub -all {</saml2p:Status>} $new_slo_response " <saml2p:StatusMessage>logout is successful</saml2p:StatusMessage></saml2p:Status>" new_slo_response
        # Variable new_slo_response is set as the SAML single logout response to be processed and forwarded.
        ACCESS::saml slo_resp $new_slo_response
        # The value set in variable new_slo_response is logged.
        log -noname accesscontrol.local1.notice "SLO Response after modification: $new_slo_response"
}