Forum Discussion
CirrocumulusBIGIP how to handle multiple IDP each with multiple external SP
CirrocumulusHi
I get it can be done and lots of post says yes can be done, and links on the docs saying yeah it can be done.
but no actual this is how to do it. the training course / video are based on single instances with out multi dom sso turned on.
say i have auth.exmaple.com as my multi domain landing uri and I attach my saml id here.
so I go to proofpoint and it send me to auth.example.com .
if i have a session already then the apm will not fire - per session so it will not re assert it selfs
if I don't have one then I log the person in - but how do I tell which saml its based upon and also I have to realise its a saml request by the fact of the landing uri ...
Thinking about this I think i have to start to look at pre request apm and make decisions based there.
so how do I find the SP Entity ID in apm or do i need to do it in an irule or ?
AlexBCTCumulonimbus
Here are a couple of tools that I often use for SAML configs, to help you decode the information that goes between the SP and the IdP;
- https://www.samltool.com/online_tools.php
- SAML tracer (browser plugin, available for Firefox and Chrome at least)
I'd start with the SAML tracer, run it once in your browser while you go through the login process, and see the SAML messages from SP to IdP, and back again, and dissect them from there to find the information you need.
It's indeed often a puzzle to see how everything fits together and can take some time to set it up, but as long as you like puzzles, you should be fine... ;)
- AlexS_yb
Thanks all very helpful
Parked the project for a few weeks - putting in PO.. will play again once I get hold of hardware
