For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Algebraic_Mirror's avatar
Algebraic_Mirror
Icon for Cirrostratus rankCirrostratus
Aug 02, 2015

Did you ever solve this? It turns out Office365 has this same problem: if you have multiple domains inside a single tenant account, they all come in with the Issuer ID and the same Assertion Consumer Service URL. The way to distinguish them (and the way ADFS handles this) is to look at the user that the SP sent the assertion request for. The user comes in in a name@domain.com format, and the domains will be different there, which is how ADFS tells the SPs apart.

 

I'd like to do the same thing on the F5. I'm sure there's probably a way to do decodes and look at the SAML request, but is there any way to override what IDP configuration gets selected based on what I find the user name to be? Unfortunately, Microsoft requires that if you have two domains, the IDP sends back assertions to each domain with a different issuer ID so that Microsoft can tell them apart. (I wish they would do the same for us when their SPs send their assertion requests!)