SAML IdP Initiated SSO Denied and Killing Existing Session established through OAuth
I am running against an issue and coming up short on ideas so I thought I would try here. I have an application wherein users are authenticated with Okta via a JavaScript widget on our home page. We have OAuth Client/Resource Server setup and this is working well. Now, once these users are logged in, some of them will need to then authenticate to third-party partners via SAML SSO with the f5 acting as the IdP. This is where I'm getting hung up....
So authentication with Oauth to the application works well and a session is established. We have some logic in the application that when a user needs to go to one of these third parties they are directed to /saml/idp/res?id=/Common/<saml_resource_name>. Whenever an already authenticated user hits these endpoints with an appropriate SAML resource name, then client is redirected to /hangup.php and their session is terminated. Looking into /var/log/apm I find only the following in the logs as to why: "Authorization failure: Denied request for SAML resource /Common/my_saml_resource"
I've been racking my brain on this and am struggling to understand how I can prevent the session from getting terminated and have clients redirected with an appropriate SAML interaction to our SPs. Any help would be much appreciated!
Thank you!
-adam
OK. Figured this out. Probably silly, but I needed to add a "Resource Assign" task in the VPE for my access policy once authenticated.