This iRule can help with troubleshooting SAML on F5
when ACCESS_SAML_AUTHN {
# Variable authn_request is set to SAML authentication request payload generated.
set authn_request [ ACCESS::saml authn ]
# The value set in variable authn_request is logged.
log -noname accesscontrol.local1.notice "AuthN Req before modification: $authn_request"
# The NameIDPolicy format in authn_request is modified from 'unspecified' to 'emailAddress' and set in variable new_authn_request.
set new_authn_request [ string map {"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"} $authn_request ]
# Variable new_authn_request is set as the SAML authentication request to be processed and forwarded.
ACCESS::saml authn $new_authn_request
# The value set in variable new_authn_request is logged.
log -noname accesscontrol.local1.notice "AuthN Req after modification: $new_authn_request"
log local0. "AuthN Req after modification: $new_authn_request"
}
when ACCESS_SAML_ASSERTION {
# Variable assertion is set to the SAML assertion payload generated.
set assertion [ ACCESS::saml assertion ]
# The value set in variable assertion is logged.
log -noname accesscontrol.local1.notice "Assertion before modification: $assertion"
# The AuthnContextClassRef in assertion is modified from 'unspecified' to 'PasswordProtectedTransport' and set in variable new_assertion.
set new_assertion [ string map {"urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified" "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"} $assertion ]
# Variable new_assertion is set as the SAML assertion to be processed and forwarded.
ACCESS::saml assertion $new_assertion
# The value set in variable new_assertion is logged.
log -noname accesscontrol.local1.notice "Assertion after modification: $new_assertion"
log local0. "Assertion after modification: $new_assertion"
}
when ACCESS_SAML_SLO_REQ {
# Variable slo_request is set to the SAML single logout request payload generated.
set slo_request [ ACCESS::saml slo_req ]
# The value set in variable slo_request is logged.
log -noname accesscontrol.local1.notice "SLO Request before modification: $slo_request"
# The variable slo_request is copied to variable new_slo_request.
set new_slo_request $slo_request
# regsub is used to insert attribute 'Reason' before 'Version' attribute in new_slo_request.
regsub -all {Version="2.0"} $new_slo_request "Reason=\"urn:oasis:names:tc:SAML:2.0:logout:user\" Version=\"2.0\"" new_slo_request
# Variable new_slo_request is set as the SAML single logout request to be processed and forwarded.
ACCESS::saml slo_req $new_slo_request
# The value set in variable new_slo_request is logged.
log -noname accesscontrol.local1.notice "SLO Request after modification: $new_slo_request"
log local0. "SLO Request after modification: $new_slo_request"
}
when ACCESS_SAML_SLO_RESP {
# Variable slo_response is set to the SAML single logout response payload generated.
set slo_response [ ACCESS::saml slo_resp ]
# The value set in variable slo_response is logged.
log -noname accesscontrol.local1.notice "SLO Response before modification: $slo_response"
# The variable slo_response is copied to variable new_slo_response.
set new_slo_response $slo_response
# regsub is used to insert 'StatusMessage' element within 'Status' element in new_slo_response.
regsub -all {</saml2p:Status>} $new_slo_response " <saml2p:StatusMessage>logout is successful</saml2p:StatusMessage></saml2p:Status>" new_slo_response
# Variable new_slo_response is set as the SAML single logout response to be processed and forwarded.
ACCESS::saml slo_resp $new_slo_response
# The value set in variable new_slo_response is logged.
log -noname accesscontrol.local1.notice "SLO Response after modification: $new_slo_response"
log local0. "SLO Response after modification: $new_slo_response"
}