Forum Discussion
jnowlin_44976
Nimbostratus
NimbostratusSAML IDP-initiated without webtop
so i have 1 SP initiated SAML setup and working.
i have another request to setup an IDP initiated SAML connection. i have get it to work successfully following the guide but after signing into the F...
jnowlin_44976Nimbostratus
Nimbostratusthanks i modified the irule a bit but so far this is working for me: when ACCESS_POLICY_COMPLETED { if { [ACCESS::session data get session.server.landinguri] starts_with "/saml/idp/profile/redirectorpost/sso" } { log local0. "SP initiated SAML detected, not sending redirect" } if { [ACCESS::session data get session.server.landinguri] starts_with "/URLtoIDPinitiated" } { log local0. [ACCESS::session data get session.assigned.resources.saml] ACCESS::respond 302 Location "https://sso.example.com/saml/idp/res?id=/Common/SAML_Resource" log local0. "IDP initiated SAML detected, sending redirect" } else { log local0. "Nothing Matched land on portal" } }
Michael_Koyfma1Cirrus
Sure - keep in mind that you really probably should replicate the logic in both HTTP_REQUEST and ACCESS_POLICY_COMPLETED events if you are not ending the session right away. If your use case is going to grow in a way that you'll be providing IDP services for multiple SPs, you'd certainly want your users to authenticate once and then be SSOed into their APPs seamlessly. If you use just that snippet that you're using, it will work only when the user does not have a valid session with the IDP yet.