Forum Discussion
jnowlin_44976
Nimbostratus
NimbostratusSAML IDP-initiated without webtop
so i have 1 SP initiated SAML setup and working. i have another request to setup an IDP initiated SAML connection. i have get it to work successfully following the guide but after signing into the F5 the users have to click the link in the webtop. from research i know i should be able to send them directly to the correct SAML resource but i have not been able to figure it out. any help would be great?
this is the guide i followed https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-saml-config-guide-11-3-0/2.htmlunique_882574450
Michael_Koyfma1Cirrus
You're almost there. Here is what you need to do in terms of iRUles. The gist is that you need to name your IDP resource and redirect to the proper webtop resource. You can try to automate it like you did to dynamically populate respond string, or you can define them statically in the switch statement - that way you can have more user-friendly setup, I believe. Keep in mind that in this case we assume you use Common partition(thus /Common/IDPresourceName reference - substitute that for what your resource is really defined as)
when HTTP_REQUEST priority 30 { if {[ACCESS::policy result] eq "allow"; } { switch -glob [HTTP::path] { "/IDPResource"; { HTTP::respond 302 Location "/saml/idp/res?id=/Common/IDPResourceName" return } } } } ` ACCESS Policy Response used to provide IdP Initiated SAML for users that have not logged in yet when ACCESS_POLICY_COMPLETED priority 30 { switch -glob [ACCESS::session data get session.server.landinguri] { "/IDPResource" { ACCESS::respond 302 Location "/saml/idp/res?id=/Common/IDPResourceName" return } } }
jnowlin_44976thanks i modified the irule a bit but so far this is working for me: when ACCESS_POLICY_COMPLETED { if { [ACCESS::session data get session.server.landinguri] starts_with "/saml/idp/profile/redirectorpost/sso" } { log local0. "SP initiated SAML detected, not sending redirect" } if { [ACCESS::session data get session.server.landinguri] starts_with "/URLtoIDPinitiated" } { log local0. [ACCESS::session data get session.assigned.resources.saml] ACCESS::respond 302 Location "https://sso.example.com/saml/idp/res?id=/Common/SAML_Resource" log local0. "IDP initiated SAML detected, sending redirect" } else { log local0. "Nothing Matched land on portal" } }
- Michael_Koyfma1Sure - keep in mind that you really probably should replicate the logic in both HTTP_REQUEST and ACCESS_POLICY_COMPLETED events if you are not ending the session right away. If your use case is going to grow in a way that you'll be providing IDP services for multiple SPs, you'd certainly want your users to authenticate once and then be SSOed into their APPs seamlessly. If you use just that snippet that you're using, it will work only when the user does not have a valid session with the IDP yet.
- jnowlin_44976
now if i could just setup single sign on to my SP initiated SAML application i could add that link to the portal also.
- jnowlin_44976
so my working irule looks like this:
when ACCESS_POLICY_COMPLETED { if { [ACCESS::session data get session.server.landinguri] starts_with "/saml/idp/profile/redirectorpost/sso" } { log local0. "SP initiated SAML detected, not sending redirect" } if { [ACCESS::session data get session.server.landinguri] starts_with "/SAMLURL" } { log local0. [ACCESS::session data get session.assigned.resources.saml] ACCESS::respond 302 Location "https://sso.example.com/saml/idp/res?id=/Common/SAML_Resource" log local0. "IDP initiated SAML detected, sending redirect" } else { log local0. "Nothing Matched land on portal" }} looks like yours handle the 302 redirect but not the SP-initiated. do i need to add those lines to both httprequest and accesspolicy completed sections?
