Forum Discussion
joesnyder_13328
Nimbostratus
NimbostratusSAML Idp-Initiated Connections
I am new to the whole SAML thing and have been playing around with it. I have setup my saleforce dev account to work with our BigIp device and it works perfectly. Since I am still super new to this beg my forgiveness if I mix up any terms, and feel free to let me know.
I setup a BigIP as Idp for SalesForce and configured all the settings in the Local Idp Service tab. I then created an External SP connector and connected the Service to that connector. I believe that this is SP-Initiated SAML correct? This allows me to use our AAA (AD) to login to SalesForce.
Now I am playing with another vendor that only supports Idp-Initiated Connections.
My question is how do I go about creating a Idp Initiated Connection to SP?
Thanks!
Kendall_Zaugg_1Can someone spoon feed me a bit and explain where the iRule supplied by the Milk man would go? Do I add another object in my policy for the iRule: i.e. general purpose::iRule event?
Not sure how to implement this. I have this setup for SP initiated, but struggling with the IdP initiated.
Thanks in advance.
kunjanJust add this iRule to the IdP virtual server in resource configuration
jerebrad_302050I was given another solution to this problem by my SE. Its written by Graham at F5 who specializes in SAML. https://devcentral.f5.com/articles/apm-cookbook-autolaunch-saml-resources-21377
Here are Graham's comments to our SE regarding the solutions Kunjun and Milkman and why his solution is more complete:
"It only handles the access policy completed event so if they later come back to the existing session it will not fire because that event isn’t hit, that’s why mine has two events to cover the two access scenarios. Also it assumes you always want the user redirected to the same SAML resource, what if you have multiple, that’s why mine leverages a switch."
The benefit of Graham's solution for me was that with Milkman's I had to lower the timeout threshold, because if you closed the site you accessed through SAML, you couldn't access it again unless the previous session was ended. With Graham's solution you can access it even if the previous session isn't closed. He described that scenario above.