IDP initiated binding with APM as SP

Question

Hi!&nbsp;
I have a working setup with APM as Service Provider, using SP-initiated binding.&nbsp;
Now I have an IDP that wants to use IDP-initiated binding, but I am unable to find good documentation for how to set this up:&nbsp;
How to configure the External IDP connector? When using IDP-initiated binding the IDP will not have a Single Sign On Service URL, yet this is mandatory in the configuration.&nbsp;
Should the IDP initiate by redirecting the User Agent to POST a SAMLResponse to: &nbsp;
the ACS service?a custom service (that in turn redirects to the ACS service)? 
The ACS service is generated by APM (it appears on /saml/sp/profile/post/acs), how to control where it redirects users after authentication?&nbsp;

kunjan · Answer

You may refer to this Soln article&nbsp;
https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-saml-configuration-11-4-0/4.html&nbsp;
After IdP does the authentication it will send assertion based on the acs url and  in the case of APM is https://bigip-sp-vs/saml/sp/profile/post/acs&nbsp;

michael_koyfma1 · Answer

Configuring External IDP connector should be fairly simple.  Every SAML provider should be able to export its config via metadata.  You should export your IDP config via Metadata and then choose Import as the method for creating an IDP connector.&nbsp;
There is one key difference in enabling IDP-initiated assertions work, you need to specify a RelayState value in the SP SAML configuration field. Check out this page:&nbsp;
https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-saml-config-guide-11-3-0/4.html&nbsp;
Specifically, on the Relay State:&nbsp;
Optional: In the Relay State field, type a value. The value can be an absolute path, such as hr/index.html or a URI, such as https://www.abc.com/index.html. It is where the service provider redirects users after they are successfully authenticated and have been allowed by the access policy. When APM receives the relay state from the Identity Provider in addition to assertion, then it uses the value received from the IdP to redirect the user. Otherwise, APM uses the value from this configuration. &nbsp;

ingebrigt_maurs · Answer

Thanks for a good answer, it led me in the right direction.
Unfortunately I do not have an IDP configured for IDP initiated to test with. But I test using my existing SP and my existing External IDP Connector, using unsolicited POST containing SAMLResponse and RelayState. This should simulate how the IDP-initiated workflow would look for the SP.
I use Postman and POST directly against my SP's ACS service with RelayState and SAMLResponse set up more or less the same as how SP initiated request to ACS are made. I did modify the SAMLResponse a bit, including removing the InResponseTo attributes.
I had som trouble with signing, encoding/escaping, etc, but resolved those. 
But my ACS then failed SAML Auth. After some searching I found that the problem was that I have multiple SAML IDP Connectors bound to my SP, and they are matched using the landinguri
%{session.server.landinguri} 
Based on logs I suspect the landinguri is not available when I make an IDP initiated call, and the matching rules fail.
I edited my SP to remove all but one SAML IDP Connectors and could then remove the matching rules. With this setup it all worked.
However, I would still like to configure my SP with multiple IDPs (and to do so I must use matching rules).
Any idea for how to do make this work?
As I understand it, the simplest solution would probably be to make sure %{session.server.landinguri} is populated when SAMLAuth runs the matching rules.
But the ACS is generated by APM, so I have no idea how to do this.

ingebrigt_maurs · Answer

I found a workaround.

By inspecting my session I found that the value of RelayState is available in 
*session.server.initial_req_body*
When I changed the matching expression to match initial_req_body I am able to get matching rules to work.

This is very messy though, since the full request body is large and not a god place to regexp against.

From the log I can see that landinguri is populated in IDP initiated, with the acs service:
Oct 30 13:13:25 bigip-test debug apd[11602]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 356 Msg: variable found, lets add it to the local cache "session.server.landinguri"="/saml/sp/profile/post/acs"(leng
th=25)

It would be desirable if APM would map the value of RelayState either to a separate session variable, or to the landinguri session variable

Forum Discussion

IDP initiated binding with APM as SP

4 Replies

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

After upgrading from PeopleTools 8.59.11 to 8.61.11 F5 APM is not rewriting the internal URLs

Could not communicate with the system. Try to reload page.

F5 BIG IP laboratory license

F5 mssql health monitor failing

How can I get started with iCall

Related Content

Proxy Protocol v2 Initiator

Proxy Protocol Initiator

Accelerate your AI initiatives using F5 VELOS

Overview of MITRE ATT&CK Framework and Initial Access Tactic (TA0001)

client-initiated SSO issue

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS