Forum Discussion
NimbostratusHow to setup SAML Authentication to multiple Virtual Servers behind one Virtual Server.
Hi All.
We have just deployed our first Big-IP and have run into a problem with LTM/AMP with SAML authentication. Here is a description of our issue, any help would be greatly appreciated.
We have 3 different applications available from the same domain
apps.company.com/app1/
apps.company.com/app2/
apps.company.com/app3/
Each application has its own webserver pool, so we have setup a different Virtual Server for each app.
There is a common Virtual Server accepting incoming connections for all apps (due to DNS resolving to one IP for all 3 apps) and distributing to the appropriate application virtual server via an iRule
when HTTP_REQUEST {
if { [HTTP::uri] contains "app1" } {
virtual app1_vs
}
if { [HTTP::uri] contains "app2" } {
virtual app2_vs
}
if { [HTTP::uri] contains "app3" } {
virtual app3_vs
}
}
Up to this point everything works great and as desired. Our issue is we cannot get SAML working for any of these apps. We believe that it's not working because of the common Virtual Server that accepts incoming connections and distributes them based on URI. When we try to access one of or apps via SAML the browser gets stuck at https://apps.company.com/my.policy
In this scenario the Big-IP is the SAML Service Provider and we have an external IdP that we use.
Any help or advice would be greatly appreciated.
1 Reply
Stanislas_Piro2Cumulonimbus
Hi,
Why are you using sub virtual servers instead of pool assignment with the irule?
when ACCESS_ACL_ALLOWED { if { [HTTP::uri] starts_with "/app1" } { pool app1_pool } elseif { [HTTP::uri] starts_with "/app2" } { pool app2_pool } elseif { [HTTP::uri] starts_with "/app3" } { pool app3_pool } }
