SAML: apm vpe action selection based on SP Issuer

Hm... I am having hard time understanding why you would need to perform AD Query in a different way? If you can post an example, perhaps I can have any better idea. In general, it's not really possible to do, as the POST URL is the same, and AuthN request does not get parsed until the session is established - so you really need to perform all the checks upon session establishment with the IDP.

This is what I meant: SP-initiated redirect POST to my VS (SAML IdP). A session is established and APM should see the AuthnRequest with Issuer ID. I do then have a logon page and then an ADquery. I would need to do some post-processing but only for one specific IssuerID and not in all cases.

cannot use the landing URI to distinguish the source (SAML SP initiator), as the landing URI variable is set to

/saml/idp/profile/redirectorpost/sso

Found out there is an existing RFE:

506014 [RFE][SAML] IdP should be able to parse 'AuthnRequest' before executing access policy (SP initiated SSO/ECP)

No target defined, so please feel free to open a case and attach it to this BUGID to "speed up" its implementation 😉

Alex

+1 would also like this.

I was thinking you could probably achieve this with an irule that captures the POST request to /saml/idp/profile/redirectorpost/sso and looks for the issuer. You could then set that as a variable to use in the Access Policy.

Hello guys,

To have a workaround you can use the following code

https://devcentral.f5.com/s/articles/apm-saml-idp-sp-issuer-extraction

Regards

Jad