Forum Discussion

amolari's avatar
amolari
Icon for Cirrostratus rankCirrostratus
Sep 21, 2015

SAML: apm vpe action selection based on SP Issuer

hello

I have the following scenario: APM as IdP (works as portal and SP-initiated), v12.0. Multiple SAML IdP resources are configured and showned to the users depending on their AD group membership.

For SP-initiated sessions, I need to perform an AD query in a different way, depending on the SP resource (Issuer). My issue is that the APM doesn't set any variable for the issuer ID when it receives the AuthnRequest (example such as

urn:federation:MicrosoftOnline
)

Am I overseeing something here? Is there a workaround?

Thanks

Alex

6 Replies

  • Hm... I am having hard time understanding why you would need to perform AD Query in a different way? If you can post an example, perhaps I can have any better idea. In general, it's not really possible to do, as the POST URL is the same, and AuthN request does not get parsed until the session is established - so you really need to perform all the checks upon session establishment with the IDP.

     

  • This is what I meant: SP-initiated redirect POST to my VS (SAML IdP). A session is established and APM should see the AuthnRequest with Issuer ID. I do then have a logon page and then an ADquery. I would need to do some post-processing but only for one specific IssuerID and not in all cases.

     

  • cannot use the landing URI to distinguish the source (SAML SP initiator), as the landing URI variable is set to

    /saml/idp/profile/redirectorpost/sso
    .. which is the same for all SP services

  • Found out there is an existing RFE:

    506014 [RFE][SAML] IdP should be able to parse 'AuthnRequest' before executing access policy (SP initiated SSO/ECP)

    No target defined, so please feel free to open a case and attach it to this BUGID to "speed up" its implementation 😉

    Alex

  • +1 would also like this.

     

    I was thinking you could probably achieve this with an irule that captures the POST request to /saml/idp/profile/redirectorpost/sso and looks for the issuer. You could then set that as a variable to use in the Access Policy.

     

  • Hello guys,

     

    To have a workaround you can use the following code

     

    https://devcentral.f5.com/s/articles/apm-saml-idp-sp-issuer-extraction

     

    Regards

     

    Jad