For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Jul 21, 2014

Just throwing this out there as I've dealt with something similar recently. Any chance that your environments are differentiated by hostname (ie. dev.domain.com, qa.domain.com, test.domain.com)? If so, you could:

  1. Create separate SP configs, access policies, and "internal" VIPs for each.

  2. Bind all of the SP configs to the IdP.

  3. Create an external LTM that fronts the internal APM VIPs and an iRule that load balances to the APM VIPs based on hostname (or any other consistent value in the request):

    when HTTP_REQUEST {        
    switch [string tolower [HTTP::host]] {            
        "dev.domain.com" { virtual dev_apm_vs }
        "qa.domain.com" { virtual qa_apm_vs }                
        "test.domain.com" { virtual test_apm_vs }
    }
}

Now that I'm thinking about it, and I don't have it in front of me to test, but isn't the relaystate value a query string value outside the encoded SAML request? You could use a similar "layered" VIP approach to alter the relaystate.