Forum Discussion

Nimbostratus

Oct 27, 2014

IDP initiated binding with APM as SP

Hi! I have a working setup with APM as Service Provider, using SP-initiated binding. Now I have an IDP that wants to use IDP-initiated binding, but I am unable to find good documentation fo...

BIG-IP Access Policy Manager (APM)

security

Ingebrigt_Maurs

Nimbostratus

Oct 29, 2014

Thanks for a good answer, it led me in the right direction.

Unfortunately I do not have an IDP configured for IDP initiated to test with. But I test using my existing SP and my existing External IDP Connector, using unsolicited POST containing SAMLResponse and RelayState. This should simulate how the IDP-initiated workflow would look for the SP.

I use Postman and POST directly against my SP's ACS service with RelayState and SAMLResponse set up more or less the same as how SP initiated request to ACS are made. I did modify the SAMLResponse a bit, including removing the InResponseTo attributes.

I had som trouble with signing, encoding/escaping, etc, but resolved those. But my ACS then failed SAML Auth. After some searching I found that the problem was that I have multiple SAML IDP Connectors bound to my SP, and they are matched using the landinguri

%{session.server.landinguri}

Based on logs I suspect the landinguri is not available when I make an IDP initiated call, and the matching rules fail.

I edited my SP to remove all but one SAML IDP Connectors and could then remove the matching rules. With this setup it all worked.

However, I would still like to configure my SP with multiple IDPs (and to do so I must use matching rules).

Any idea for how to do make this work?

As I understand it, the simplest solution would probably be to make sure

%{session.server.landinguri}

is populated when SAMLAuth runs the matching rules. But the ACS is generated by APM, so I have no idea how to do this.

Ingebrigt_Maurs

Nimbostratus

Oct 30, 2014

I found a workaround. By inspecting my session I found that the value of RelayState is available in *session.server.initial_req_body* When I changed the matching expression to match initial_req_body I am able to get matching rules to work. This is very messy though, since the full request body is large and not a god place to regexp against. From the log I can see that landinguri is populated in IDP initiated, with the acs service: Oct 30 13:13:25 bigip-test debug apd[11602]: 01490000:7: ./AccessPolicyProcessor/Session.h func: "getSessionVar()" line: 356 Msg: variable found, lets add it to the local cache "session.server.landinguri"="/saml/sp/profile/post/acs"(leng th=25) It would be desirable if APM would map the value of RelayState either to a separate session variable, or to the landinguri session variable

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

IDP initiated binding with APM as SP

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Checking for X-Forwarded-For against an Address Data-Group

SSL Bridging and FQDN rewrite Policy

Cisco TACACS+ Config on ISE LTM Pair

iRule causing requests to be duplicated (sometimes)

How can I get started with iCall

Related Content

Proxy Protocol v2 Initiator

Proxy Protocol Initiator

Accelerate your AI initiatives using F5 VELOS

Overview of MITRE ATT&CK Framework and Initial Access Tactic (TA0001)

client-initiated SSO issue

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS