Forum Discussion
NimbostratusSAML SSO Without a Webtop
The F5 is the SAML IDP for an external cloud based service. I am working on setting up and testing this on a webtop. Is it possible to not have to use a webtop? For example, setup an internal DNS record, bobscloud.companyname.com. When the client types that in they are authenticated and passed to the SAML resource.
I have the authentication piece down and I can figure out the webtop. But I have not found any documentation on how to have clients connect to a SAML federated resource without a webtop. Can anyone provide some direction?
53 Replies
- Kevin_Stewart
Employee
While there are a few ways to do this, is there a specific requirement to do IdP-initiated SAML? You could alternately do SP-initated, which would natively return you to the app without a APM webtop.
Michael_Koyfma1Cirrus
Are you going to be setting up an IDP just for a single cloud service? Reason I am asking is that it's pretty rare that customers setup a single cloud-based service in their environment - even if you start with one, there will always be more later one.. :)
Regarding bobscloud.company.com - your cloud-based service should be able to take care of it for you - so you will hit it, and it will automatically send you to your local IDP and after authenticating to APM, you will automatically receive a response/assertion sent back to the cloud service
blwavg_10621I am new to SAML, so I do not really know what options are available.
I have deployed ADFS for Office365 behind the F5. So I am familiar with cloud service redirecting back to our IDP (not the F5 in the case of ADFS). And then being authenticated and shooting you back to the cloud service. I have not used the F5 for SAML before nor built an IDP initiated SAML Request.
I was asked if it was possible to do make an IDP initiated connection without a webtop.
- Michael_Koyfman
Cirrocumulus
It is definitely possible, but you'd need to use an iRule for that.
when ACCESS_POLICY_COMPLETED { log local0. "Policy Completed" switch -glob [ACCESS::session data get session.server.network.name] { "bobscloud.company.comp" { ACCESS::respond 302 Location "/saml/idp/res?id=/Common/bobscloud.com" } } }The value you put in the ACCESS::respond should match the name of your SAML resource that is placed on the webtop - I named it bobscloud.com for you. Essentially, you're forcing a user to automatically hit the webtop-based IDP-initiated connection without seeing the webtop.
- blwavg_10621I will test this out this week and let you know if it works. That is pretty clever. Thank you. I have some questions about the logic and flow of the data. But I want to play around a bit first and see if I can wrap my head around it first.
- AP_129594Do you add this as an iRules Event on the visual editor or iRules under VIP?
- Michael_KoyfmaniRules under VIP
- Michael_Koyfma1
It is definitely possible, but you'd need to use an iRule for that.
when ACCESS_POLICY_COMPLETED { log local0. "Policy Completed" switch -glob [ACCESS::session data get session.server.network.name] { "bobscloud.company.comp" { ACCESS::respond 302 Location "/saml/idp/res?id=/Common/bobscloud.com" } } }The value you put in the ACCESS::respond should match the name of your SAML resource that is placed on the webtop - I named it bobscloud.com for you. Essentially, you're forcing a user to automatically hit the webtop-based IDP-initiated connection without seeing the webtop.
- blwavg_10621I will test this out this week and let you know if it works. That is pretty clever. Thank you. I have some questions about the logic and flow of the data. But I want to play around a bit first and see if I can wrap my head around it first.
- AP_129594Do you add this as an iRules Event on the visual editor or iRules under VIP?
- Michael_Koyfma1iRules under VIP
Rabbit23_116296Hi
I have exactly the same requirements. I will test the irule on the webtop also and post findings :)
- blwavg_10621Awesome. Thank you. I have been working on getting the SAML portion to work for a while now with no luck. I have a case I am working with support on. I am currently working on getting SP imitated request to work, and have not been able to even try getting IDP initiated request to work yet.
Micah_Haarbrink@Rabbit23 or @blwavg did either of you get this working? I have a couple functional virtual servers / access policies for SP-initiated but am not sure how to set up IdP initiated.
- Rabbit23_116296
I did get it to work, one thing to be aware of is that the webtop does not allow cookie persistence. So if you want to avoid signing into your IDP when the SP session expires this is not an option for IDP initiated SSO.
So basically, create your webtop and in your access policy just before the allow event add advanced resource assign and assign the webtop to the access policy. Then you will find after logon you should get the webtop with the SAML resource(s) you published to the webtop.
Click on one of the links and this should take you through to your cloud service. Note this link will be similar to Michael Kofman's example above, which is which you simply add to an irule which means the user will never actually see the webtop but go to the service provider.
Let me know how it pans out.
- Micah_HaarbrinkIs there something about the webtop that is required for IdP-initiated sessions? I have a couple SP-initiated SAML configs that work fine without a webtop. The only iRule I use for them is to establish the persistence of the cookie. They are basically "logon page -> AD auth -> Allow". You hit the service providers login page (a custom login page for us obviously), it kicks back to the F5, the F5 allows and the SAML exchange sends it back through to the service provider and we're in. I assumed that if I set up an access policy to just "logon page -> AD auth -> Allow" that the settings from the Service Provider that is bound to the IdP would get used and send me into the site in a similar manner (hit my own login page on the F5, authentication, SAML settings tell it to go to the SP which gets the POST that says the session is good). So is there something about the webtop that is required that I have to land on the webtop first and then the F5 does something additional when it sends me through to the SP?
AJ_01_135899Cirrostratus
Very curious whether people have gotten the non-webtop config working. Having to use the Webtop as part of an IDP-initiated SAML SSO is a pretty glaring deficiency in user experience in my opinion. I'll give the iRule a shot tomorrow and let everyone know how it works out.- AJ_01_135899I can verify that the iRule listed above works great. The whole concept of the webtop is a little strange to me - considering how a single SSO profile is associated with a single webtop, I just can't see the point.
- blwavg_10621
I was not able to get the F5 to work as an IDP. So I was not able to test either scenario.
- Rabbit23_116296
Has anyone gotten cookie persistence to work with IDP initiated and when using a webtop. I can't get this to work!
Irule: log local0.notice "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Policy Completed" switch -glob [ACCESS::session data get session.server.network.name] { "recruitment.company.com" { log local0.notice "recruitment: Policy Completed" ACCESS::respond "/saml/idp/res?id=/SSO/recruitment" ACCESS::respond 302 Location "/saml/idp/res?id=/Common/bobscloud.com" } "bluetube.company.com" { log local0.notice "recruitment: Policy Completed" ACCESS::respond "/saml/idp/res?id=/SSO/Kaltura" ACCESS::respond 302 Location "/saml/idp/res?id=/Common/bobscloud.com" }
}
