Diferent Policies Bracnhes based on SAML request

Question

Hi,&nbsp;
I would like to have an idp for a multiple SP (Sp1, and SP2) . The connection is SP initiated to the idp.
For security reasons SP1 and SP2 need diferents policies to verify the user..&nbsp;
Instead of create differents idp, we would like ( if it's possible ) to make diferents branches on the policy based on the SAML autentication request like ProviderName or AssertionConsumerServiceURL.&nbsp;
I dont' know exactly how to write the irule and how to get the variables from the SAML request.&nbsp;
THe idea could be.&nbsp;
VS ( idp )  ==&gt; { ACL irule  }  if ( AssertionConsumerServiceURL = SP1 )  ==&gt;  polici for SP1
                                if ( AssertionConsumerServiceURL = SP2 )  ==&gt;  polici for SP2&nbsp;
Thanks in advance&nbsp;

michael_koyfma1 · Answer

Is APM acting as IDP, and SPs are external to it? Can you please elaborate/post more details on what the different policies you want/need to follow to verify the user?&nbsp;

manel_mendoza_1 · Answer

Hi Michael,&nbsp;
I will put an example.&nbsp;
App1:  url:  app1.provider.com  ==&gt; Very confidential APP. Need a SAML tiquet with atribute "security level = hight"
App2:  url:  app2.provider.com  ==&gt; Very low confidencial APP. Need a SAML tiquet with atribute "security level = low"
...&nbsp;
Both need a saml tiquet, and both redirects to the same idp to obtain it, but on the policy of the F5 when the PrivederName= APP1 the policy would request 2 factor autentication .  On the other hand, when the idp detects that the providename = APP2, only with username or password is enought. &nbsp;
This is the reason why we need to branch the policy on the idp based on SAML request PrivederName.&nbsp;

manel_mendoza_1 · Answer

Hi Michael,&nbsp;
I will put an example.&nbsp;
App1:  url:  app1.provider.com  ==&gt; Very confidential APP. Need a SAML tiquet with atribute "security level = hight"
App2:  url:  app2.provider.com  ==&gt; Very low confidencial APP. Need a SAML tiquet with atribute "security level = low"
...&nbsp;
Both need a saml tiquet, and both redirects to the same idp to obtain it, but on the policy of the F5 when the PrivederName= APP1 the policy would request 2 factor autentication .  On the other hand, when the idp detects that the providename = APP2, only with username or password is enought. &nbsp;
This is the reason why we need to branch the policy on the idp based on SAML request PrivederName.&nbsp;

bradhanson · Answer

I have this same need. authentication will depend on the AssertionConsumerServiceURL.   This is the IdP.How can that value be obtained in the policy editor?   It would be very useful.&nbsp;

Forum Discussion

Diferent Policies Bracnhes based on SAML request

Recent Discussions

iRule to Change Default Pool (not redirect to another pool)?

What is the best practice for migrating from iseries to rseries?

iRule to Force Source IP to Specific Backend Node

checking the fan status on the device.

what is this serial number b1:e5:bd:8f:2x:58:xx:27 in device certificate?

Related Content

Minimizing Security Complexity: Managing Distributed WAF Policies

LTM Policy

Fileless Malware, Anti-Cheat Transparency, & NGINX OSS Security Policy

iControl REST Cookbook - LTM policy (ltm policy)

Auditing Security Policy Updates

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS