SAML redirection issue

HI Team

I have configured F5 as SAML iDP and SP - it works as expected. I have modified the configurations to check first username then select IDP based on username for future IDP's which might be added .

So SAML SP virtual server APM policy will ask for username and parse the username to SAML iDP automatically as we cant expect user to type username twice. Created irules as below - username parsing doesnt work without connectivity profile and VDI profile - i dont understand why - will u be able to check the irule and confirm if something wrong . Also i have single virtual server with Public IP and irule i configured will redirect to internal IP virtual server based on host name - this is to reduce no of public IP being used.

IRULE mapped to SP virtual server

when RULE_INIT { set static::XXX_DEBUG true set static::XXX_IDENTITY_HEADER_NAME "identity" Production set static::XXX_DNS_DOMAIN "XXXcorp.net" set static::XXX_ID_COOKIE_NAME "XXX-AA-DMZ-PR-ID"

}

when HTTP_RESPONSE { if { ${static::XXX_DEBUG} } { log local0. "Entered VS '[virtual name]'" }

set XXX_location_url [HTTP::header value Location]
set XXX_username [ACCESS::session data get "session.logon.last.username"]
set XXX_cookie_id [ACCESS::session data get "session.logon.XXX.cookie_id"]

if { $XXX_location_url starts_with "/renderer/agent_aaa_saml_form.eui" } {
    set XXX_saml_internal_redirection true
} else {
    set XXX_saml_internal_redirection false
}

if { ${static::XXX_DEBUG} } {
    if { $XXX_saml_internal_redirection == true } {
        set stars "************"
    } else {
        set stars ""
    }

    log local0. "saml_internal_redirection: '${XXX_saml_internal_redirection}' ${stars}"
}

if { $XXX_saml_internal_redirection && $XXX_username ne "" } {

    set uri_base [URI::basename $XXX_location_url]
    set uri_host [URI::host $XXX_location_url]
    set uri_path [URI::path $XXX_location_url]
    set uri_port [URI::port $XXX_location_url]
    set uri_protocol [URI::protocol $XXX_location_url]
    set uri_query [URI::query $XXX_location_url]
    set uri_decoded [URI::decode $XXX_location_url]

    set uri_query_uri [URI::query $XXX_location_url "uri"]
    set uri_query_method [URI::query $XXX_location_url "Method"]
    set uri_query_agent [URI::query $XXX_location_url "SamlAgentName"]

     TODO: USE ${static::XXX_IDENTITY_HEADER_NAME} here!!!
    set uri_identity "%3Fidentity=${XXX_username}"
    set new_location_url "${uri_path}${uri_base}?uri=${uri_query_uri}${uri_identity}&Method=${uri_query_method}&SamlAgentName=${uri_query_agent}"

    if { ${static::XXX_DEBUG} } {

        log local0. "new_location_url = $new_location_url"
    }

    HTTP::header replace "Location" $new_location_url
}

}

IRULE mapped to IDP virtual server

when RULE_INIT { set static::XXX_DEBUG true set static::XXX_IDENTITY_HEADER_NAME "identity" }

when HTTP_REQUEST { if { ${static::XXX_DEBUG} } { log local0. "Entered" }

 Check for for SAML POSTS
if { [HTTP::method] eq "POST" && [HTTP::uri] starts_with "/saml/idp/profile/redirectorpost/sso" } {
    set XXX_uri [HTTP::uri]
    set XXX_identity [URI::query $XXX_uri ${static::XXX_IDENTITY_HEADER_NAME}]

    if { ${static::XXX_DEBUG} } {
        log local0. "Set XXX_uri= ${XXX_uri}"
        log local0. "Set XXX_identity=${XXX_identity}"
    }
}

}

when ACCESS_SESSION_STARTED { if { ${static::XXX_DEBUG} } { log local0. "Entered" }

if { [ info exists XXX_identity ] } {
    ACCESS::session data set session.logon.last.username ${XXX_identity}
    if { ${static::XXX_DEBUG} } {
        log local0. "Set session.logon.last.username to '${XXX_identity}'"
    }
}

}

SAML APM policy will look for cookie ID as first option as below and take it further login page

expr { [mcget {session.logon.XXX.cookie_id}] != "" }

Thanks Senthil