Adding a SAML resource to a Webtop

The reason I'm creating a webtop in the first place is to accomplish idp initiated SSO! https://devcentral.f5.com/questions/saml-sso-without-a-webtop

Ok, in the SAML resource do you have the 'publish on webtop' checked? If yes, in the session details (reports) is it assigning your SAML links properly as a connectivity resource?

spot on I did miss that, thanks.

the two SAML links are now published, when trying either of them and doing a SAML trace it is trying to POST the base64 encoded SAML assertion to the iSP but it is not sending a valid username / email address in the element of assertion. So trying to figure out how I can initiate the idp connection without having to go the the service provider still :)

We have a vendor who only supports SP initiated connections ... so IDP initiated fails. Are you using AD? I put in an AD query on our policy after AD Auth so it can grab AD attributes to populate the assertion subject value or any other attributes. %{session.ad.last.attr.sAMAccountName}

duh, you have ad auth setup ... so you're using ad

Yeah i have customised the access profiles for each existing virtual server that does all the ad queries and sends the assertions as it should. But both only work when SP initiated. So id like to get it to work when accessing the virtual servers directly, so im trying the webtop irule way like suggested in the link i posted above.

ok great, my point is though I have been unable to go to my virtual server and sign in and then POST the assertion back to the SP

(I can initiate from the SP but not the IDP)

I did that once by putting in the F5 entity ID on the config in the service provider admin page instead of https://your_site_name/saml/idp/profile/redirectorpost/sso

It would only work SP initiated until I fixed it.