Manual Chapter : Session variables for more granular access control in step-up authentication

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 15.1.10, 15.1.9
Manual Chapter

Session variables for more granular access control in step-up authentication

Session variables might not change throughout a session. However, in conjunction with other data, they can be used to create distinctive subsessions that control which resources a user can reach. A Variable Assign agent or an iRule agent could put a string into the
perflow.custom
or
perflow.scratchpad
variable like this example:
Senior_Executive_After_Hours_04_06_2017
An administrator can derive the example string from a session variable and date-time information.
  • Senior_Executive - Added to the string based on a group name in the
    session.ldap.last.attr.memberOf
    session variable.
  • After_Hours - Appended to the string if the current time is after 5 PM today and before 7 AM tomorrow; otherwise, Office_Hours could be appended to the string.
  • 04_06_2017 - The most recent 24-hour period that started at 7 AM is appended to the string.
The F5 DevCentral online community is the source for information about iRules.
BIG-IP Access Policy Manager: Visual Policy Editor
on the AskF5 web site located at
support.f5.com
provides information about session variables, perflow variables, and Tcl usage, all of which can be helpful when working with Variable Assign.