SAML IDP-initiated without webtop

yes i have the SAML working for both my SP-initiated and IDP-initiated. when a user uses the SP-initiated URL they are taken directly to the service providers site. this is how i want the IDP to work as well so users do not have to manually click on the IDP-initiated resource once authenticated.

That's what I'm saying. Your IdP visual policy could look like this:

start -> [auth] -> allow

Apply the SAML IdP config as an SSO profile to that access policy (directly) - no webtop, no resource assignment. You just need to make sure that at some point in the visual policy you populate that Assertion Subject Value session variable.

but if i remove the advanced resource assign from the VPE my SP-initiated SAML application stops working. maybe i am missing something but i followed the F5 guide for supporting both SP and IDP initited SAML.

my setup is as follows: 1 virtual server 1 access profile 1 access policy 2 saml local IDP services 2 saml external SP Connectors 2 saml resources

Are you doing SP and IdP on a single VIP?

An SP-initiated SAML auth doesn't require a resource assignment either. It's just:

start -> SAML Auth -> allow

That's assuming the SAML SP is on one VIP and your IdP is on another.

yes i was doing both SP-initiated and IDP initiated on the same VIP. this was according to the guide and made sense so i only have 1 url for saml.

If you use a single VIP, then you do indeed need to use a resource assignment.

I was definitely not listening when you said "IdP-initiated without the webtop", so I addressed that in your other post. Otherwise, yes I would typically separate IdP and SP functions into separate VIPs. If you think about it, SAML is a federation protocol. If you need SSO to different applications on the same VIP, you can do that without SAML.

well both are sending saml assertions. so its not just single sign on. i just have 1 that is SP-initiated and the other i have to initiate (IDP-initiated) i just cannot afford to hand out public IP addreses for each as im sure there will be more later.

Are you at least using different host names? You could possibly move the visual policy flow through different paths - one for SP-init

start -> [hostname evaluate] -> SAML auth -> allow

and another for IdP-init

start -> [hostname evaluate] -> [auth] -> advanced resource assign

But generally speaking, you may only need the one IdP VIP and combining all of the SPs into one VIP would be trivial.

same hostname based on the f5 guide for setting up SP and IDP SAML. but the entity for each is differnt resulting in different URL. for example: https://sso.example.com/SPinitiated https://sso.example.com/IDPinitiated

so in my case i would either have to identify them by the URL or go back and define seperate hostnames it sounds like. i have seen several posts on this and most use an irule to send it one way or the other but someting like below did not work for me either. im starting to wonder if the URL i am using to access the IDP-initiated service is wrong. shouldnt https://sso.example.com/IDPinitiated be able to get me to the IDP resource?

when ACCESS_POLICY_COMPLETED { if { [ACCESS::session data get session.server.landinguri] == "/saml/idp/profile/redirectorpost/sso" } { log local0. "SP initiated SAML detected, not sending redirect" } else { ACCESS::respond 302 Location "/saml/idp/res?id=[ACCESS::session data get session.assigned.resources.saml]" log local0. "IDP initiated SAML detected, sending redirect" } }