ltm rule command ACCESS samlΒΆ

iRule(1)						BIG-IP TMSH Manual						  iRule(1)

ACCESS::saml
       Access or manipulate SAML related messages.

SYNOPSIS
       ACCESS::saml authn (CONTENT)?

       ACCESS::saml assertion (CONTENT)?

       ACCESS::saml slo_req (CONTENT)?

       ACCESS::saml slo_resp (CONTENT)?

DESCRIPTION
       The different ACCESS::saml sub-commands allow you to access or manipulate outgoing SAML request/response messages including
       authentication request, assertion, single logout request and response.

       ACCESS::saml authn

	    * Returns the SAML authentication request payload generated by BIG-IP
	      as service provider. Sets the SAML authentication request if given.

       ACCESS::saml assertion

	    * Returns the SAML assertion payload generated by BIG-IP as
	      identity provider. Sets the SAML assertion if given.

       ACCESS::saml slo_req

	    * Returns the SAML single logout request payload generated by BIG-IP
	      as service provider or identity provider. Sets the SAML single
	      logout request if given.

       ACCESS::saml slo_resp

	    * Returns the SAML single logout response payload generated by BIG-IP
	      as service provider or identity provider. Sets the SAML single
	      logout response if given.

RETURN VALUE
VALID DURING
       ACCESS_SAML_AUTHN, ACCESS_SAML_ASSERTION, ACCESS_SAML_SLO_REQ, ACCESS_SAML_SLO_RESP

EXAMPLES
	when ACCESS_SAML_AUTHN {
		# Variable authn_request is set to SAML authentication request payload generated.
		set authn_request [ ACCESS::saml authn ]
		# The value set in variable authn_request is logged.
		log -noname accesscontrol.local1.notice "AuthN Req before modification: $authn_request"
		# The NameIDPolicy format in authn_request is modified from 'unspecified' to 'emailAddress' and set in variable new_authn_request.
		set new_authn_request [ string map {"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"} $authn_request ]
		# Variable new_authn_request is set as the SAML authentication request to be processed and forwarded.
		ACCESS::saml authn $new_authn_request
		# The value set in variable new_authn_request is logged.
		log -noname accesscontrol.local1.notice "AuthN Req after modification: $new_authn_request"
	}

	when ACCESS_SAML_ASSERTION {
		# Variable assertion is set to the SAML assertion payload generated.
		set assertion [ ACCESS::saml assertion ]
		# The value set in variable assertion is logged.
		log -noname accesscontrol.local1.notice "Assertion before modification: $assertion"
		# The AuthnContextClassRef in assertion is modified from 'unspecified' to 'PasswordProtectedTransport' and set in variable new_assertion.
		set new_assertion [ string map {"urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified" "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"} $assertion ]
		# Variable new_assertion is set as the SAML assertion to be processed and forwarded.
		ACCESS::saml assertion $new_assertion
		# The value set in variable new_assertion is logged.
		log -noname accesscontrol.local1.notice "Assertion after modification: $new_assertion"
	}

	when ACCESS_SAML_SLO_REQ {
		# Variable slo_request is set to the SAML single logout request payload generated.
		set slo_request [ ACCESS::saml slo_req ]
		# The value set in variable slo_request is logged.
		log -noname accesscontrol.local1.notice "SLO Request before modification: $slo_request"
		# The variable slo_request is copied to variable new_slo_request.
		set new_slo_request $slo_request
		# regsub is used to insert attribute 'Reason' before 'Version' attribute in new_slo_request.
		regsub -all {Version="2.0"} $new_slo_request "Reason=\"urn:oasis:names:tc:SAML:2.0:logout:user\" Version=\"2.0\"" new_slo_request
		# Variable new_slo_request is set as the SAML single logout request to be processed and forwarded.
		ACCESS::saml slo_req $new_slo_request
		# The value set in variable new_slo_request is logged.
		log -noname accesscontrol.local1.notice "SLO Request after modification: $new_slo_request"
	}

	when ACCESS_SAML_SLO_RESP {
		# Variable slo_response is set to the SAML single logout response payload generated.
		set slo_response [ ACCESS::saml slo_resp ]
		# The value set in variable slo_response is logged.
		log -noname accesscontrol.local1.notice "SLO Response before modification: $slo_response"
		# The variable slo_response is copied to variable new_slo_response.
		set new_slo_response $slo_response
		# regsub is used to insert 'StatusMessage' element within 'Status' element in new_slo_response.
		regsub -all {} $new_slo_response " logout is successful" new_slo_response
		# Variable new_slo_response is set as the SAML single logout response to be processed and forwarded.
		ACCESS::saml slo_resp $new_slo_response
		# The value set in variable new_slo_response is logged.
		log -noname accesscontrol.local1.notice "SLO Response after modification: $new_slo_response"
	}

HINTS
SEE ALSO
CHANGE LOG
       @BIGIP-14.1.0 --First introduced the command.

BIG-IP							    2022-04-12							  iRule(1)