SAML IdP and User access

We have just federated with an SP and we a requirement that only certain users when a particular AD group can will have access. I have multiple SP going to a single IdP. There's two ways I can think of doing this so I guess this is a multipart question: Also by having everyone going through the same IdP we implement SSO that way.

 

What is the best way to accomplish this? Create another IdP/SP on F5 and have the IdP APM do a SAML Auth to the F5-SP?

 

Plan A (Complex) - This way will allow me to have another Virtual Server that the external SP will call I can use an APM on this guy.

 

Plan B (?) - Do an iRule that checks the payload and looks at the AD groups of the user after the user has been authenticated. Have the iRule set a variable the determines if the user can go to the SAML resource

 

If it is plan B I need to inspect the payload or see what saml resource it want to go to. If I choose saml resource what irule event and what session or variable to I check for this?

 

I see in the logs I just don't know how to reference it from an iRule.

 

debug tmm4[14202]: 014d0002:7: 712c24be: SSOv2 Using SSO config: /DMZ-STAGING/saml_idpsvc_box_stg_01 with SP Connector: /DMZ-STAGING/saml_idpextsp_box_stg_01 from SAML Resource: /DMZ-STAGING/samlres_box_stg_01

 

info tmm4[14202]: 014d0002:6: 712c24be: SSOv2 Using SAML SSO object (/DMZ-STAGING/saml_idpsvc_box_stg_01) with SP Connector (/DMZ-STAGING/saml_idpextsp_box_stg_01)