Forum Discussion
F5 APM behaviour similar to "requireSession off" of Shibboleth SP
- May 24, 2016
I'll answer myself. I've came up with a iRule that can do this. Assuming :
- The trigger URL is /websso/login
- The query attribute to handle the landing URI is named "target"
- You already have an Access Policy activated for your VS that is configured for SAML
The iRule goes like that :
when HTTP_REQUEST { set apm_cookie [HTTP::cookie value MRHSession] set app_target [URI::query [HTTP::uri] "target"] if { ( [string length $app_target] == 0 ) } { set app_target "/" } if { ( [ACCESS::session exists -state_allow $apm_cookie] ) } { if { ( [HTTP::uri] starts_with "/websso/login" ) or ( [HTTP::uri] starts_with "/saml/sp/profile/post/acs" ) } { HTTP::redirect $app_target } return } if { ( [HTTP::uri] starts_with "/websso/login" ) or ( [HTTP::uri] starts_with "/saml/sp/profile/post/acs" ) } { return } ACCESS::disable }
The idea, is to disable APM for all requests by default and enable it when a cookie session is present or that the URI is the one that triggers the authentication.
Maybe this will help someone, one day.
/saml/sp/profile/post/acs is a special URL handled by the APM module itself, it's the endpoint that consumes the SAML assertion (back from the IdP)
I'll answer myself. I've came up with a iRule that can do this. Assuming :
- The trigger URL is /websso/login
- The query attribute to handle the landing URI is named "target"
- You already have an Access Policy activated for your VS that is configured for SAML
The iRule goes like that :
when HTTP_REQUEST {
set apm_cookie [HTTP::cookie value MRHSession]
set app_target [URI::query [HTTP::uri] "target"]
if { ( [string length $app_target] == 0 ) } {
set app_target "/"
}
if { ( [ACCESS::session exists -state_allow $apm_cookie] ) } {
if { ( [HTTP::uri] starts_with "/websso/login" ) or ( [HTTP::uri] starts_with "/saml/sp/profile/post/acs" ) } {
HTTP::redirect $app_target
}
return
}
if { ( [HTTP::uri] starts_with "/websso/login" ) or ( [HTTP::uri] starts_with "/saml/sp/profile/post/acs" ) } {
return
}
ACCESS::disable
}
The idea, is to disable APM for all requests by default and enable it when a cookie session is present or that the URI is the one that triggers the authentication.
Maybe this will help someone, one day.
/saml/sp/profile/post/acs is a special URL handled by the APM module itself, it's the endpoint that consumes the SAML assertion (back from the IdP)
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com