Forum Discussion
NimbostratusIdp Initiated SAML Single Sign On
Is it possible to go directly to a virtual server, authenticate and then POST the assertion directly to the service provider using Big IP? I've been testing this and I can not get the application to go further once the access policy successfully completes.
4 Replies
James_ThomsonEmployee
Were you able to get this working? IDP initated SAML should work just fine. In the IDP, there's a configuration for where to send the reqeust after it is done processing.
Rabbit23_116296Hey
yeah I got idp initiated SSO to work but for services to do this I had to assign to webtop and then an irule to 302 the browser to the relevant webtop link. so its not ideal but it does the job. I believe this is what relaystate is for but I couldn't get this to work.
kj07208_118528Cirrus
The relaystate is to carry additional information that the IDP has specified. I'm running into the same issue. If you start from the SP it all works but if you want to start from the IDP it's a lot more trickier. There are a couple of answers on devcentral but you have to use an irule. Sorry can't remember the direct article.
If they establish a session to the webtop then you can do link to the IDP as follows https://myfed.corp.com?saml_res=xyz (use the logs to get this information) I'm about to try this with using NTLM so the sign on is seamless and try the links that I stated above
- Rabbit23_116296Yes NTLM works great - i have a NTLM SSO solution https://devcentral.f5.com/s/articles/ntlm-integrated-sso-for-saml-with-the-apm-module-and-an-external-logon-page which works well for me but I''d advise you to try Michael's - he really did an amazing job with his implementation and its entirely native to the appliance - https://devcentral.f5.com/s/articles/leveraging-big-ip-apm-for-seamless-client-ntlm-authentication Let me know how it goes for you!
