F5 SAML IdP - SP Initiated SSO for Unauthorized User Behavior

Question

We're using a Webtop to handle SP-Initiated and IdP-Initiated (Webtop Initiated) SAML SSO into multiple applications. Our access policy uses advanced resource assignment to assign specific SAML apps to specific users (AD Groups). &nbsp;
Unfortunately, if our users go to a SAML enabled website directly that they are unauthorized for, and performs an SP-Initiated login, the Access Policy allows them through, but doesn't assign them the SAML App, which results in a connection reset error after the access policy is completed.&nbsp;
Here is our Access Policy:&nbsp;
&nbsp;
Is there a way to instead display an Unauthorized/Access Denied F5 page using the VPE? If so, how would I go about that since we are using advanced resource assignment?&nbsp;

daniel_w_ · Answer

I have the same issue and didn't find a solution until now. Hope that somebody can help us.

walter_kacynski · Answer

I asked this same question to support two weeks back and an RFE has been opened as ID515539 &nbsp;

michael_ebbels · Answer

Hi Guys,&nbsp;
Have a look at the variable session.server.landinguri in apm.&nbsp;
When an SP initiated request occurs, it should be hitting &nbsp;
Create a logic check in APM for the SP resource and gracefully deny the user and vice vera.&nbsp;
Hope that helps&nbsp;
Cheers
Mike&nbsp;

Forum Discussion

F5 SAML IdP - SP Initiated SSO for Unauthorized User Behavior

Recent Discussions

What does "EPS" in ddos threshold setting stands for?

F5 as DNS over TLS Proxy

F5xC Migration

Monitor multiple services on one service

cve protection via Big-IP

Related Content

Proxy Protocol v2 Initiator

iRules variables in BIG-IP Next: behavior change

Proxy Protocol Initiator

Behavior of outbound DNS query from LTM behavior

AI Safety: Navigating Deception, Emergent Goals, and Power-seeking Behaviors

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS