For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Sam_Hall's avatar
Sam_Hall
Icon for Nimbostratus rankNimbostratus
Nov 06, 2015

Lacking any better suggestion, I've found one option available is to decode the post data to determine which SP the request is attempting to start a session for. Then use that information to craft an idpinitiated GET request. Some SP also seem to provide enough information to do this in the RelayState URL parameter. Is this a terrible approach?

 

  • amolari's avatar
    amolari
    Icon for Cirrostratus rankCirrostratus
    Nov 06, 2015
    which information are you looking for? the entityID?
  • Sam_Hall's avatar
    Sam_Hall
    Icon for Nimbostratus rankNimbostratus
    Nov 06, 2015
    I think it was called the relying party id for ADFS. It's not to hard to implement and seems to work fine, I'm just wondering if it's the best thing to do. I've still not got it working for our Shibboleth instance, I think I need to enable IdPUnsolicitedSSO, which seems to be frowned upon... https://wiki.shibboleth.net/confluence/display/SHIB2/IdPUnsolicitedSSO
  • Sam_Hall's avatar
    Sam_Hall
    Icon for Nimbostratus rankNimbostratus
    Nov 10, 2015
    I've convinced myself that there's nothing wrong with translating the POST request to an idpinititated GET request redirect. All you lose is the ability for ADFS to detect a "relay attack", which is apparently just a DoS threat for ill prepared IdP platforms (ASM can mitigate against that probably more effectively). Relay attacks and idpinititated login presents no additional security risks to the Service Provider, which is all I was really concerned about.