For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Sam_Hall's avatar
Sam_Hall
Icon for Nimbostratus rankNimbostratus
Nov 06, 2015

Lacking any better suggestion, I've found one option available is to decode the post data to determine which SP the request is attempting to start a session for. Then use that information to craft an idpinitiated GET request. Some SP also seem to provide enough information to do this in the RelayState URL parameter. Is this a terrible approach?

 

Sam_Hall's avatar
Sam_Hall
Icon for Nimbostratus rankNimbostratus
Nov 10, 2015
I've convinced myself that there's nothing wrong with translating the POST request to an idpinititated GET request redirect. All you lose is the ability for ADFS to detect a "relay attack", which is apparently just a DoS threat for ill prepared IdP platforms (ASM can mitigate against that probably more effectively). Relay attacks and idpinititated login presents no additional security risks to the Service Provider, which is all I was really concerned about.