SAML attributes was configured in an authentication SAML IdP profile. When extracting the client certificate subject, they get an “expression syntax” error.

add samlIdpProfile test -Attribute1 cert_subject -Attribute1Expr CLIENT.ssl.client_cert.subject

ERROR: Expression syntax error [client_cert^.subject, Offset 22]

> add samlIdpProfile test -Attribute1 cert_subject -Attribute1Expr CLIENT.ip.src

ERROR: Invalid expression

However other expressions from the HTTP request work without issues:

> add samlIdpProfile test -Attribute1 cert_subject -Attribute1Expr http.req.hostname

Done

Advanced Authentication policies for example: Client Based expressions are not supported currently in SAML profile.