Forum Discussion

Jason_L_40779's avatar
Icon for Nimbostratus rankNimbostratus
Mar 15, 2016

SAML SP Initiated Connections

I'm in the process of rolling out APM as a SAML IDP. Currently, we have 6 applications that are all going to be using SP initiated SAML coming from a external provider which we do not manage. I have it working with one provider. My question is, how does APM know which SAML resource to assign a user to if they are all sharing the same IDP? In my configuration, I have one vip, one access profile, and one IDP, with 6 SP connectors. I understand from an IDP initiated point of view, a user could simply just click on the SAML resource they want to access. However, when the SP redirects the user back to my IDP, the access policy has 6 SAML resources under the resource assign. I don't want the user to have to click anything. I want them to sign in once and the external page is visible.


I could create a separate vip per SAML application with a separate profile and IDP. But is there an easier way to do this? I guess my bigger question is... how does APM know that a user went to say, and when sharepoint redirects back to the local IDP, not to assign say the office 365 resouce.


2 Replies

  • In an SP initiated scenario, if you look at the SAML request that comes through (which you can do in Firefox using an addon called SAML Tracer, for example) you'll notice a couple of fields in the request:

    (which seems to match to the
    Entity ID
    you set in your SAML config in APM) and
    Assertion Consumer Service URL
    among others. I'm not exactly sure which one it uses (I think it's the Assertion Consumer Service URL), but the APM matches one of those values with the corresponding External SP Connector to figure out which one to use, and then does it's processing based on that.

    Also, within the policy - through the VPE - you can assign resources to users that they should be allowed to access.

    Hope this helps.

  • Question.. not exactly related. but where can I find the ACS URL that was sent in by the SP? I need to check to see which service it is returning to to decide what type of authentication is needed (so I need it early in the access policy). thanks!