so i have 1 SP initiated SAML setup and working. i have another request to setup an IDP initiated SAML connection. i have get it to work successfully following the guide but after signing into the F5 the users have to click the link in the webtop. from research i know i should be able to send them directly to the correct SAML resource but i have not been able to figure it out. any help would be great? this is the guide i followed https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-saml-config-guide-11-3-0/2.htmlunique_882574450

yes i have the SAML working for both my SP-initiated and IDP-initiated. when a user uses the SP-initiated URL they are taken directly to the service providers site. this is how i want the IDP to work as well so users do not have to manually click on the IDP-initiated resource once authenticated.

That's what I'm saying. Your IdP visual policy could look like this: start -> [auth] -> allow Apply the SAML IdP config as an SSO profile to that access policy (directly) - no webtop, no resource assignment. You just need to make sure that at some point in the visual policy you populate that Assertion Subject Value session variable.

but if i remove the advanced resource assign from the VPE my SP-initiated SAML application stops working. maybe i am missing something but i followed the F5 guide for supporting both SP and IDP initited SAML. my setup is as follows: 1 virtual server 1 access profile 1 access policy 2 saml local IDP services 2 saml external SP Connectors 2 saml resources

Are you doing SP and IdP on a single VIP? An SP-initiated SAML auth doesn't require a resource assignment either. It's just: start -> SAML Auth -> allow That's assuming the SAML SP is on one VIP and your IdP is on another.

yes i was doing both SP-initiated and IDP initiated on the same VIP. this was according to the guide and made sense so i only have 1 url for saml.

SAML IDP-initiated without webtop

16 Replies

jnowlin_44976
Nimbostratus
Aug 21, 2015
yes i was doing both SP-initiated and IDP initiated on the same VIP. this was according to the guide and made sense so i only have 1 url for saml.
Kevin_Stewart
Employee
Aug 21, 2015
Are you doing SP and IdP on a single VIP?

An SP-initiated SAML auth doesn't require a resource assignment either. It's just:

start -> SAML Auth -> allow

That's assuming the SAML SP is on one VIP and your IdP is on another.
jnowlin_44976
Nimbostratus
Aug 21, 2015
but if i remove the advanced resource assign from the VPE my SP-initiated SAML application stops working. maybe i am missing something but i followed the F5 guide for supporting both SP and IDP initited SAML.

my setup is as follows: 1 virtual server 1 access profile 1 access policy 2 saml local IDP services 2 saml external SP Connectors 2 saml resources
Kevin_Stewart
Employee
Aug 21, 2015
That's what I'm saying. Your IdP visual policy could look like this:

start -> [auth] -> allow

Apply the SAML IdP config as an SSO profile to that access policy (directly) - no webtop, no resource assignment. You just need to make sure that at some point in the visual policy you populate that Assertion Subject Value session variable.
jnowlin_44976
Nimbostratus
Aug 21, 2015
yes i have the SAML working for both my SP-initiated and IDP-initiated. when a user uses the SP-initiated URL they are taken directly to the service providers site. this is how i want the IDP to work as well so users do not have to manually click on the IDP-initiated resource once authenticated.

Forum Discussion

SAML IDP-initiated without webtop

16 Replies

Recent Discussions

Find GSLB pool membership from vip IP

Pool Members communication with B-party via F5 VIP

Server 2 causing application slowness

F5Access | MacOS Sonoma

AS3 Deployments (shared objects)

Related Content

IdP Discovery for IdP Initiated SAML

SAML IdP Initiated SSO Denied and Killing Existing Session established through OAuth

Dynamic , Variable RelayState in IdP initiated SAML SSO

Webtop and icons

Creating a SSL VPN Using F5 Full Webtop