iRule - Access to External IdP connectors

Question

Hi,&nbsp;
I have APM setup as a Service Provider with multiple IdP connectors.&nbsp;
I was wondering if there is a way to get at the list of IdP connectors and the matching values I have setup in as part of an iRule? I'm trying to work out where someone is coming from, and the logic runs before it gets to the access policy and 'SAML Auth' part of the process.&nbsp;
I was hoping to use the IdP external connectors instead of creating a datagroup that just duplicates what I already have.&nbsp;
Cheers,
Simon&nbsp;

seth_cooper · Answer

I don't believe there is a way to get this list using an iRule.  Your best bet is to use a datagroup.&nbsp;
-Seth&nbsp;

michael_koyfma1 · Answer

Can you please elaborate a scenario that you are trying to achieve/configure? There might be a way to accomplish it without doing what you're looking to do. I've never encountered a need to do what you are asking for in iRules.

razortt · Answer

Hi Michael,&nbsp;
I have a virtual server, https://app.acme.com that stakeholders use to access our application. 
I have a virual server, https://login.acme.com that is setup as a Service Provider and has an access policy that uses SAML auth for authentication.&nbsp;
If a users wants to login to the default page of the application they would click a short cut that links to https://app.acme.com/abc. When they hit app.acme.com they are seen to be unauthenticated and be redirected to login.acme.com/abc. abc is an acronym that we use to do the IdP matching. &nbsp;
Once the user is authenticated they are redirect back to https://app.acme.com and can access the application.&nbsp;
This all works fine if users access the application through default shortcuts, but if someone were to be sent a link to https://app.acme.com/reports then we need some way to identify which stakeholder they are. What I was thinking of doing was to take the start of the HTTP::uri and comparing that to the list of IdP external connectors matching valuse we have configured. If there is a match then proceed with the AP as expected. If there isn't a match, then redirect the user to a form where they can select their agency from a drop down list. &nbsp;
To make things more friendly, once they have selected who they are I will store that in a session cookie to limit the number of times they see the form.&nbsp;
Is there an more obvious way I could do this that I have missed? Appreciate any thoughts/insights.&nbsp;
Cheers,
Simon&nbsp;

Forum Discussion

iRule - Access to External IdP connectors

3 Replies

Recent Discussions

URL

Portal Access to HTTPS resources slow

HOW TO HIRE A HACKER TO RECOVER STOLEN BITCOIN. CONTACT FASTFUND RECOVERY

Big-IP Next 20.2.0-2.375.1+0.0.43 iRule count problem

rewrite Azure AD response for portal access via web portal

Related Content

Re: Enabling F5 Distributed Cloud Fraud and Risk Solutions with Forgerock Connector

Knowledge sharing: Containers, Kubernetes, Openshift, F5 Container Connector, NGINX Ingress

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

CSV to Address External Datagroup File

External Monitor Information and Templates