Assignment Items¶
The assignment items support assigning resources (such as a credentials) to session variables.
Refer to Create Access policy for the OpenAPI specification document.
SSO Credential Mapping¶
The SSO Credential Mapping item caches the credentials in session variables for single sign-on (SSO) applications in the enterprise. This item enables users to automatically forward stored user names and passwords to applications and servers without having to input credentials repeatedly.
To create an Access policy with the SSO Credential Mapping item, specify the SSO token username in the variables property. The SSO token username defines the SSO session variable for the user name source.
Example: The following example shows the variables property.
"variables": [
{
"varname": "session.sso.token.last.username",
"expression": "mcget {session.saml.attr.username}"
}
]
The table below lists the key objects for variable assignment:
| Object | Type | Description |
|---|---|---|
| varname | string | Specifies the SSO token username. This is a required setting. |
| expression | string | Specifies the Tcl expression to obtain the username from session variable. This is a required setting. |
Example: The following example shows the variables property in an Access policy.
{
"languages": [
"en"
],
"defaultLanguage": "en",
"start": {
"name": "SAML_Auth",
"caption": "Fallback",
"itemType": "saml",
"service": {
"name": "Sample_SAML_SP_Service",
"entityId": "https://sp.app.com",
"isAuthnRequestSigned": false,
"nameIdFormat": "unspecified",
"idpConnectors":[
],
"relayState": "",
"acsBinding": "http-post",
"wantAssertionEncrypted": false,
"wantAssertionSigned": false
},
"nextItems": [
{
"caption": "Successful",
"expression": "expr {[mcget {session.saml.last.result}] == 1}",
"itemType": "sso-credential-mapping",
"name": "SSO_Credential_Mapping",
"variables": [
{
"varname": "session.sso.token.last.username",
"expression": "mcget {session.saml.attr.username}"
}
],
},
{
"caption": "Fallback",
"itemType": "deny",
"name": "Deny"
}
]
}
}
Variable Assign¶
Variable Assign item is a powerful tool to customize new or predefined session variables. You can create new variables or modify existing session variables with a static or dynamically assigned value based on the session variable.
To assign one or more variables in a per-session policy, define the variables property. The configuration for this property includes an array of variable settings such as varname and expression.
Example: The following example shows the variables property.
"variables": [
{
"varname": "session.sso.token.last.username",
"expression": "mcget {session.logon.last.username}",
"secure": false,
"append": false,
"separator": " "
},
{
"varname": "session.sso.token.last.password",
"expression": "mcget {session.logon.last.password}",
"secure": true,
"append": false
}
]
The table below lists the key objects for variable assignment:
| Object | Type | Description |
|---|---|---|
| itemType | string | Specifies the BIG-IP Next Access policy item. For the Variable Assign item, the value is variable-assign. This is a required setting. |
| name | string | Specifies the name of the BIG-IP Next Access policy item. This is a required setting. |
| caption | string | Specifies a human-readable description of the policy branch. |
| variables | array | Specifies the Variable Assignment objects for an Access configuration. |
|
string | Specifies the new variable name or name of the variable you want to change the value. This is a required setting. |
|
string | Specifies the Tcl expression. This is a required setting. The mcget command is an abbreviation for "get the session variable from the memory cache." When evaluating a branch rule, BIG-IP Next Access obtains session variables from the system memory using the Tcl command mcget. In the above example, the mcget command returns the data inside the session.logon.last.username and session.logon.last.password variable from the memory cache. Access evaluates the expression and assigns the value of the expression to the newly created variable. The Tcl expression can also contain one or more expressions (expr) or return commands. An expr command evaluates an expression and returns the result. A return command simply returns the result, and can be used to set the variable to a numeric value or string. For example, "expression": "return {1800}", "expression": "return {Hello World}", "expression": "expr { "[mcget session.custom.value1] + [mcget session.custom.value2]" }", "expression": "expr { "[mcget {session.logon.last.domain}]\[mcget {session.logon.last.username}]" }", and "expression": "expr {1800}". For details on Tcl expressions, refer https://www.tcl.tk/man/tcl8.5/TclCmd/expr.html. |
|
boolean | Specifies whether the variable is secure or unsecure. The value of a secure variable is not displayed in the session report, or logged by the logging item. |
|
boolean | Specifies whether to append the variable value. |
|
string | Specifies the separator used for appending values. For example, "===", " " (space), ";" (semicolon) or "." (period). |
| nextItems | array | Specifies the different branches of the BIG-IP Next Access policy item. This is a required setting. |
Example: The following example shows the variables property in an Access policy.
{
"languages": [ "en" ],
"defaultLanguage": "en",
"start": {
"caption": "Fallback",
"itemType": "variable-assign",
"variables": [
{
"varname": "session.logon.last.ntdomain",
"expression": "mcget {session.logon.last.ntdomain}"
},
{
"varname": "session.inactivity_timeout",
"expression": "mcget {session.inactivity_timeout}"
},
{
"varname": "session.ssl.cert.whole",
"expression": "mcget {session.check_machinecert.last.cert.cert}"
},
{
"varname": "session.krbsso.username",
"expression": "mcget {session.ad.last.attr.sAMAccountName}"
},
{
"varname": "session.krbsso.domain",
"expression": "mcget {session.ad.last.actualdomain}"
}
],
"nextItems" : [
{
"itemType": "allow"
}
]
}
}