Forum Discussion
NimbostratusAPM as a SP, with multiple IDP connectors, both IDP and SP initiated
Hi !
How to configure APM as a SP, with multiple IDP connectors receiving both IDP and SP initiated requests?
My rig
I'm using APM as a SP. My SP should support multiple IDP's, and both IDP initiated and SP initiated requests. I bind multiple IDP Connectors to my SP, and I use matching rules to select the correct IDP connector to use. I require all landing urls to my SP to contain a paramerer 'idp'.
Example:
I configured my matching rules to match the session variable session.server.landinguri. I configured Matching Value for each IDP connector to match the value of the ‘idp’ parameter. Example: idp=some_idp
This works well for SP initiated.
The problem
When I added support for IDP initiated I ran into trouble. IDP initiated requests land on the ACS endpoint:
The url ACS will redirect to is transmitted using RelayState: ( RelayState: https://sp.host.no/landingpath&idp=some_idp )
Since the landinguri session variable no longer contains the idp parameter, matching fails and access is denied.
My (failed) fix attempts so far
-I tried adding the idp parameter to the ACS endpoint: but this caused the ACS request to fail.
-I tried changing the matching rule to match the idp parameter that is part of the RelayState (I found the relaystate in session.server.initial_req_body). While messy this will work, but only for IDP initiated. Now SP initiated fails, because initial_req_body doesn’t contain the idp parameter when the request is SP initiated (the RelayState is not populated yet).
-I’m unable to configure 2 matching rules for the same IDP Connector, which would have solved the problem
-One overly complex solution could be to write an iRule that pulls the idp parameter from either initial_req_body or landinguri, put the result into a session variable, and write a matching rule on that variable. But overly complex is not really my thing, hopefully there is a better way?
4 Replies
Arnaud_LemaireEmployee
Could you have a look to this sol and see if you feet the use case ? https://support.f5.com/kb/en-us/solutions/public/15000/700/sol15756.html?sr=41439545
- Arnaud_Lemaire
Could you have a look to this sol and see if you feet the use case ? https://support.f5.com/kb/en-us/solutions/public/15000/700/sol15756.html?sr=41439545
Ingebrigt_MaursHi Arnaud!
I use BIG-IP version 11.6.0 build 0.0.401 Final
My issue is not the same as SOL15756, but fails in a similar manner.
Interestingly, I also experience SOL15756
- I use Postman to send an IDP initiated assertion to BIG-IP
- I kill the session using Manage Sessions -> Kill selected Sessions
- I use Postman to send a new IDP initiated assertion.
This will fail as described in SOL15756. If I retry step 3, it succeeds.
I found a workaround for SOL15756. If I clear my browser cache before step 3, the problem does not happen. I believe the cause of SOL15756 must be some problem with how BIG-IP handles clients when the serverside session has been deleted. When this happens I think serverside variables (like session.saml.last.result ) are not properly populated.
The problem I experience is similar, it is caused by BIG-IP serverside variables not always being populated as required by my APM logic.
The reason the session variables are not populated is different in my scenario. In my scenario the cause is that IDP initiated and SP initiated requests populate serverside variables (like session.server.landinguri ) differently. This creates a problem when I want to match requests to different IDP Connectors using Matching rules.
kunjan-I’m unable to configure 2 matching rules for the same IDP Connector, which would have solved the problem
How about creating an 'alias IdP connector' for every IdP connector so that 2 rules can be created. So now, one rule for SP initiated, may be matching the landing uri with the existing IdP connector and 2nd rule matching initial_req_body with corresponding alias IdP connector.
Not sure if you find the iRule option a less complex option :)
