For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Youssef_Ghorbal's avatar
Youssef_Ghorbal
Icon for Cirrus rankCirrus
Nov 30, 2014
Solved

F5 APM behaviour similar to "requireSession off" of Shibboleth SP

Hello,   I'm trying to replace a Shibboleth SP with APM (SAML SP.) In some use cases it works as a charm, but for other use cases I can't figure out how to make it work. One of the use cases I'm s...
BIG-IP Access Policy Manager (APM)
design
saml
security
TMOS
  • Youssef_Ghorbal's avatar
    Youssef_Ghorbal
    May 24, 2016

    I'll answer myself. I've came up with a iRule that can do this. Assuming :

    • The trigger URL is /websso/login
    • The query attribute to handle the landing URI is named "target"
    • You already have an Access Policy activated for your VS that is configured for SAML

    The iRule goes like that :

    when HTTP_REQUEST {

 set apm_cookie [HTTP::cookie value MRHSession]

 set app_target [URI::query [HTTP::uri] "target"]
 if { ( [string length $app_target] == 0 ) } {
  set app_target "/"
 }

 if { ( [ACCESS::session exists -state_allow $apm_cookie] ) } {
  if { ( [HTTP::uri] starts_with "/websso/login" ) or ( [HTTP::uri] starts_with "/saml/sp/profile/post/acs" ) } {
   HTTP::redirect $app_target
  }
  return
 }

 if { ( [HTTP::uri] starts_with "/websso/login" ) or ( [HTTP::uri] starts_with "/saml/sp/profile/post/acs" ) } {
  return
 }

 ACCESS::disable
}

    The idea, is to disable APM for all requests by default and enable it when a cookie session is present or that the URI is the one that triggers the authentication.

    Maybe this will help someone, one day.

    /saml/sp/profile/post/acs is a special URL handled by the APM module itself, it's the endpoint that consumes the SAML assertion (back from the IdP)

Youssef_Ghorbal's avatar
Youssef_Ghorbal
Icon for Cirrus rankCirrus
May 24, 2016

I'll answer myself. I've came up with a iRule that can do this. Assuming :

  • The trigger URL is /websso/login
  • The query attribute to handle the landing URI is named "target"
  • You already have an Access Policy activated for your VS that is configured for SAML

The iRule goes like that :

when HTTP_REQUEST {

 set apm_cookie [HTTP::cookie value MRHSession]

 set app_target [URI::query [HTTP::uri] "target"]
 if { ( [string length $app_target] == 0 ) } {
  set app_target "/"
 }

 if { ( [ACCESS::session exists -state_allow $apm_cookie] ) } {
  if { ( [HTTP::uri] starts_with "/websso/login" ) or ( [HTTP::uri] starts_with "/saml/sp/profile/post/acs" ) } {
   HTTP::redirect $app_target
  }
  return
 }

 if { ( [HTTP::uri] starts_with "/websso/login" ) or ( [HTTP::uri] starts_with "/saml/sp/profile/post/acs" ) } {
  return
 }

 ACCESS::disable
}

The idea, is to disable APM for all requests by default and enable it when a cookie session is present or that the URI is the one that triggers the authentication.

Maybe this will help someone, one day.

/saml/sp/profile/post/acs is a special URL handled by the APM module itself, it's the endpoint that consumes the SAML assertion (back from the IdP)