Forum Discussion

Youssef_Ghorbal's avatar
Nov 30, 2014

F5 APM behaviour similar to "requireSession off" of Shibboleth SP

Hello,   I'm trying to replace a Shibboleth SP with APM (SAML SP.) In some use cases it works as a charm, but for other use cases I can't figure out how to make it work. One of the use cases I'm s...
  • Youssef_Ghorbal's avatar
    May 24, 2016

    I'll answer myself. I've came up with a iRule that can do this. Assuming :

    • The trigger URL is /websso/login
    • The query attribute to handle the landing URI is named "target"
    • You already have an Access Policy activated for your VS that is configured for SAML

    The iRule goes like that :

    when HTTP_REQUEST {
    
     set apm_cookie [HTTP::cookie value MRHSession]
    
     set app_target [URI::query [HTTP::uri] "target"]
     if { ( [string length $app_target] == 0 ) } {
      set app_target "/"
     }
    
     if { ( [ACCESS::session exists -state_allow $apm_cookie] ) } {
      if { ( [HTTP::uri] starts_with "/websso/login" ) or ( [HTTP::uri] starts_with "/saml/sp/profile/post/acs" ) } {
       HTTP::redirect $app_target
      }
      return
     }
    
     if { ( [HTTP::uri] starts_with "/websso/login" ) or ( [HTTP::uri] starts_with "/saml/sp/profile/post/acs" ) } {
      return
     }
    
     ACCESS::disable
    }
    

    The idea, is to disable APM for all requests by default and enable it when a cookie session is present or that the URI is the one that triggers the authentication.

    Maybe this will help someone, one day.

    /saml/sp/profile/post/acs is a special URL handled by the APM module itself, it's the endpoint that consumes the SAML assertion (back from the IdP)