Forum Discussion

Samuel_Rydén's avatar
Samuel_Rydén
Icon for Altocumulus rankAltocumulus
Mar 04, 2020

How do I determine SP origin on a BigIP IdP

Background: We have a BigIP 14.1 environment, and we've set up an idp to respond to https://idp.domain.com, where only the IdP Entity ID differs, such as https://idp.domain.com/service1, https://idp...
BIG-IP Access Policy Manager (APM)
devops
iRules
  • raZorTT's avatar
    raZorTT
    Apr 15, 2020

    Hi Samuel

     

    How did you go with delv3chio's solution? Wish that was around 9 months ago ;)

     

    We have an iLX plugin that inflates/parses the incoming SAML assertion. It grabs the issuer and/or the ACS url and we then make decisions in the policy based on the returned results.

     

    Cheers,

    Simon

delv3chio's avatar
delv3chio
Icon for Employee rankEmployee
Mar 23, 2020

The best way I can think of to do this is to have each of the SPs send to their own SSO URL, branch these off in the VPE by landing URI, then re-assign the landing URI as 'return {/saml/idp/profile/redirectorpost/sso/}' before they hit the login page and it will maintain that SAMLRequest from the SP and continue on as SP initiated connections.

 

Otherwise, if you do not re-assign the landing URI, the BIG-IP will not recognize the connection as SP initiated, drop the SAMLRequest, and treat the connection as if it was IdP initiated.

 

I wrote this support solution:

K55982241: Choosing branches in the Visual Policy Editor with APM as an IdP while using multi Service Providers

 

Hope it helps!