Forum Discussion
joesnyder_13328
Nimbostratus
NimbostratusSAML Idp-Initiated Connections
I am new to the whole SAML thing and have been playing around with it. I have setup my saleforce dev account to work with our BigIp device and it works perfectly. Since I am still super new to this beg my forgiveness if I mix up any terms, and feel free to let me know.
I setup a BigIP as Idp for SalesForce and configured all the settings in the Local Idp Service tab. I then created an External SP connector and connected the Service to that connector. I believe that this is SP-Initiated SAML correct? This allows me to use our AAA (AD) to login to SalesForce.
Now I am playing with another vendor that only supports Idp-Initiated Connections.
My question is how do I go about creating a Idp Initiated Connection to SP?
Thanks!
That_guy_122842The way that works the best for me is a Webtop..
Another tool I used when working out issues is SimpleSAMLPHP.. Real easy to stand up and test with F5.
joesnyder_13328Is there anyway to do it without a Webtop? We already have a custom web application that works as web top for us.- That_guy_122842So there is, but the issue you run into is when you want to setup more than one SAML relationship. I really have never gotten a clear answer on how. (other than having more than one VIP).
- joesnyder_13328Haha thats exactly what I have been running into. So I hope someone can provide an answer. Thanks!
- Matt_Dierick
Employee
Hi,
Actually, when you bind your external SP connector to your local IDP, this is not a SP initiated (not really). It depends how you configure your APM IDP policy. You can use an APM as IDP for SP initiated and IDP initiated. It depends the way your set your policy. If you use SAML resources assigned to your webtop, you can use APM as SP and IDP initiated. If you do not assign any SAML resource or webtop, you can not use IDP initiated.
I mean, if you reach SFDC in first (SP initiated), you will be redirected to the IDP for auth and redirected to SFDC when done. If you reach the IDP in first (IDP initiated), you will be prompted with your SAML resource (SFDC) on the webtop.
If the second vendor only supports IDP initiated, you need to use a SAML resource in order to push the SAML assertion at the first SP connection. SAML resource needs a webtop. I don't know if we can force APM to start a SAML resource after login so that user does not see the webtop.
kunjan_118660Cumulonimbus
May be a redirect on the policy ending.
Understanding the redirect ending-
In an access policy, the redirect ending sends the user to a URL that you specify. Use this ending when the result of a certain access policy outcome does not result in a webtop ending, but you want to send the user to another internal or external URL.http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-config-11-4-0/apm_config_understanding.html
- Matt_DierickI tried this morning :-) Does not work, the SAML assertion is push. I tried with the SAML resource URL.
kunjanMay be a redirect on the policy ending.
Understanding the redirect ending-
In an access policy, the redirect ending sends the user to a URL that you specify. Use this ending when the result of a certain access policy outcome does not result in a webtop ending, but you want to send the user to another internal or external URL.http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-config-11-4-0/apm_config_understanding.html
- Matt_DierickI tried this morning :-) Does not work, the SAML assertion is push. I tried with the SAML resource URL.
- kunjan
Thanks Matt for testing. Tried an iRule that auto-launch the configured webtop saml resource. Seems to be working with a dummy SP.
when ACCESS_POLICY_COMPLETED { ACCESS::respond 302 Location "/saml/idp/res?id=/Common/my_saml_resource" } - Matt_Dierick
Good to know. I'm gonna test. I did test with the same URI but in the VPE ending. And actually I get a loop on APM /my.policy page.
- kunjan
The redirect ending deletes the cookies when redirected, even with 'Close session after redirect' option disabled. This creates the loop. Not sure if it's a bug or per design.
- Matt_Dierick
It works :-)
Thanks for the tip.
MiLK_MaN_61922This iRule should work for both SP initiated and IdP initiated SAML IdP scenarios:
when ACCESS_POLICY_COMPLETED { if { [ACCESS::session data get session.server.landinguri] == "/saml/idp/profile/redirectorpost/sso" } { log local0. "SP initiated SAML detected, not sending redirect" } else { ACCESS::respond 302 Location "/saml/idp/res?id=[ACCESS::session data get session.assigned.resources.saml]" log local0. "IDP initiated SAML detected, sending redirect" } }
jerebrad_302050This worked for me. Just add this iRule to the VIP and not in the Access Policy VPE.
- MiLK_MaN
This iRule should work for both SP initiated and IdP initiated SAML IdP scenarios:
when ACCESS_POLICY_COMPLETED { if { [ACCESS::session data get session.server.landinguri] == "/saml/idp/profile/redirectorpost/sso" } { log local0. "SP initiated SAML detected, not sending redirect" } else { ACCESS::respond 302 Location "/saml/idp/res?id=[ACCESS::session data get session.assigned.resources.saml]" log local0. "IDP initiated SAML detected, sending redirect" } }- jerebrad_302050
This worked for me. Just add this iRule to the VIP and not in the Access Policy VPE.
