Forum Discussion
steirtet
Nimbostratus
NimbostratusAPM in clientless mode, support for SAML
Hello,
I am looking for a solution to have SAML support in clientless mode.
The fact is that my client application does not support any redirect. When the client connects to the SAML SP, no redirect ...
steirtetNimbostratus
NimbostratusHi,
Thanks for the answer, but this iRule retrieves the username/password without using SAML. The problem with SAML is that is using redirects between the SAML SP and the SAML IdP. In this case, redirects are not supported and not allowed. The problem remains, how to solve this via an iRule?
Thierry
Gabriel_V_13146Cirrus
Hi, there are several SAML profiles (options how to use the SAML messages). F5 supports the WebSSO profile - thus redirect/post SAML messages between SP and IdP. So it's not really clientless. I don't know if it helps, but just an idea - If your SP can consume a SAML assertion, you could use 'IdP-initiated' SSO, so you can let F5 send the LoginResponse directly without any request. That can be done setting up a webtop with SAML connectors. In that case the APM will expose links (I don't recall exact url, see the links which are bound to the webtop links) sending a SAML response to the SP. And as a login action your application just sends user to the exposed IdP link. Have fun Gabriel- Gabriel_V_13146If you really must be clientless - maybe the link provided is what you need.. Your application could send a SAML Soap message with username and password (or other credentials) and you will need to update the provided irule to dig the data from XML instead of a simple post..
