Forum Discussion

Altostratus

Aug 02, 2015

Is there a way in iRules to modify which IDP profile the APM selects?

Is there any way to modify how the APM matches an SP to an IDP configuration? I know normally it looks at the Issuer ID that the SP sends and uses that to match an SP configuration, which is in turn ...

application delivery

BIG-IP Access Policy Manager (APM)

Employee

Aug 07, 2015

A check of saml attributes must be done to search a unique identifier of the SP.

So you're saying that inside the SAML auth request from the SP, there is indeed a unique attribute that refers back to that SP? If that's true, then you also need the SP to send the auth request as a POST vs. HTTP redirect. Per OASIS standards, a SAML auth request in the URL of a redirect is both base64-encoded and compressed, and iRules don't have gzip or enflate/deflate functions. In a POST however it's only base64-encoded, so you could absolutely catch the SAML auth request (POST) coming to the IdP, decode it, parse through it for the unique attribute, and then forward to the correct IdP SSO.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)