ACCESS::saml

Description

This command allows you to retrieve or manipulate SAML related messages.

Syntax

ACCESS::saml authn [value]
ACCESS::saml assertion [value]
ACCESS::saml slo_req [value]
ACCESS::saml slo_resp [value]

ACCESS::saml authn [value]

  • Returns the SAML authentication request payload generated by BIG-IP as service provider. Sets the SAML authentication request if given.

ACCESS::saml assertion [value]

  • Returns the SAML assertion payload generated by BIG-IP as identity provider. Sets the SAML assertion if given.

ACCESS::saml slo_req [value]

  • Returns the SAML single logout request payload generated by BIG-IP as service provider or identity provider. Sets the SAML single logout request if given.

ACCESS::saml slo_resp [value]

  • Returns the SAML single logout response payload generated by BIG-IP as service provider or identity provider. Sets the SAML single logout response if given.

Examples

when ACCESS_SAML_AUTHN {
        # Variable authn_request is set to SAML authentication request payload generated.
        set authn_request [ ACCESS::saml authn ]
        # The value set in variable authn_request is logged.
        log -noname accesscontrol.local1.notice "AuthN Req before modification: $authn_request"
        # The NameIDPolicy format in authn_request is modified from 'unspecified' to 'emailAddress' and set in variable new_authn_request.
        set new_authn_request [ string map {"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"} $authn_request ]
        # Variable new_authn_request is set as the SAML authentication request to be processed and forwarded.
        ACCESS::saml authn $new_authn_request
        # The value set in variable new_authn_request is logged.
        log -noname accesscontrol.local1.notice "AuthN Req after modification: $new_authn_request"
}

when ACCESS_SAML_ASSERTION {
        # Variable assertion is set to the SAML assertion payload generated.
        set assertion [ ACCESS::saml assertion ]
        # The value set in variable assertion is logged.
        log -noname accesscontrol.local1.notice "Assertion before modification: $assertion"
        # The AuthnContextClassRef in assertion is modified from 'unspecified' to 'PasswordProtectedTransport' and set in variable new_assertion.
        set new_assertion [ string map {"urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified" "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"} $assertion ]
        # Variable new_assertion is set as the SAML assertion to be processed and forwarded.
        ACCESS::saml assertion $new_assertion
        # The value set in variable new_assertion is logged.
        log -noname accesscontrol.local1.notice "Assertion after modification: $new_assertion"
}

when ACCESS_SAML_SLO_REQ {
        # Variable slo_request is set to the SAML single logout request payload generated.
        set slo_request [ ACCESS::saml slo_req ]
        # The value set in variable slo_request is logged.
        log -noname accesscontrol.local1.notice "SLO Request before modification: $slo_request"
        # The variable slo_request is copied to variable new_slo_request.
        set new_slo_request $slo_request
        # regsub is used to insert attribute 'Reason' before 'Version' attribute in new_slo_request.
        regsub -all {Version="2.0"} $new_slo_request "Reason=\"urn:oasis:names:tc:SAML:2.0:logout:user\" Version=\"2.0\"" new_slo_request
        # Variable new_slo_request is set as the SAML single logout request to be processed and forwarded.
        ACCESS::saml slo_req $new_slo_request
        # The value set in variable new_slo_request is logged.
        log -noname accesscontrol.local1.notice "SLO Request after modification: $new_slo_request"
}

when ACCESS_SAML_SLO_RESP {
        # Variable slo_response is set to the SAML single logout response payload generated.
        set slo_response [ ACCESS::saml slo_resp ]
        # The value set in variable slo_response is logged.
        log -noname accesscontrol.local1.notice "SLO Response before modification: $slo_response"
        # The variable slo_response is copied to variable new_slo_response.
        set new_slo_response $slo_response
        # regsub is used to insert 'StatusMessage' element within 'Status' element in new_slo_response.
        regsub -all {</saml2p:Status>} $new_slo_response " <saml2p:StatusMessage>logout is successful</saml2p:StatusMessage></saml2p:Status>" new_slo_response
        # Variable new_slo_response is set as the SAML single logout response to be processed and forwarded.
        ACCESS::saml slo_resp $new_slo_response
        # The value set in variable new_slo_response is logged.
        log -noname accesscontrol.local1.notice "SLO Response after modification: $new_slo_response"
}