Forum Discussion
blwavg_10621
Nimbostratus
NimbostratusSAML SSO Without a Webtop
The F5 is the SAML IDP for an external cloud based service. I am working on setting up and testing this on a webtop. Is it possible to not have to use a webtop? For example, setup an internal DNS rec...
Michael_Koyfman
Cirrocumulus
CirrocumulusIt is definitely possible, but you'd need to use an iRule for that.
when ACCESS_POLICY_COMPLETED {
log local0. "Policy Completed"
switch -glob [ACCESS::session data get session.server.network.name] {
"bobscloud.company.comp"
{
ACCESS::respond 302 Location "/saml/idp/res?id=/Common/bobscloud.com"
}
}
}
The value you put in the ACCESS::respond should match the name of your SAML resource that is placed on the webtop - I named it bobscloud.com for you. Essentially, you're forcing a user to automatically hit the webtop-based IDP-initiated connection without seeing the webtop.
InnONimbostratus
NimbostratusYes. I have one IdP with multiple cloud SP external connectors. I always create a specific endpoint IdP URI for each SP, then in my iRule, select my SAML resource to use in the ACCESS::respond based on the URI used to reach my IdP.
For instance, for an IdP-initiated session for the MyCloudApp, I would configure and use a specific URI for my IdP named https://idp.mycompany.com/mycloudapp
when ACCESS_POLICY_COMPLETED {
switch -glob [ACCESS::session data get session.server.landinguri] {
"/mycloudapp*" {
ACCESS::respond 302 Location "https://idp.mycompany.com/saml/idp/res?id=/Common/MYCLOUDAPP"
}
"/proofpoint*" {
ACCESS::respond 302 Location "https://idp.mycompany.com/saml/idp/res?id=/Common/PROOFPOINT"
}
"/businessolver*" {
ACCESS::respond 302 Location "https://idp.mycompany.com/saml/idp/res?id=/Common/BUSINESSOLVER"
}
}
