Forum Discussion

Nimbostratus

Nov 12, 2013

SAML SSO Without a Webtop

The F5 is the SAML IDP for an external cloud based service. I am working on setting up and testing this on a webtop. Is it possible to not have to use a webtop? For example, setup an internal DNS rec...

availability

BIG-IP Access Policy Manager (APM)

Nimbostratus

Jan 26, 2017

I couldn't get this solution to work, but I did get this to work:

¬†

when ACCESS_POLICY_COMPLETED {
    if { [ACCESS::session data get session.server.landinguri] == "/saml/idp/profile/redirectorpost/sso" } { 
        log local0. "SP initiated SAML detected, not sending redirect"
    } else {
        ACCESS::respond 302 Location "/saml/idp/res?id=[ACCESS::session data get session.assigned.resources.saml]"
        log local0. "IDP initiated SAML detected, sending redirect"
    }
}

**from this discussion https://devcentral.f5.com/s/feed/0D51T00006i7YW3SAM

¬†

I lowered the inactivity timeout on the Access Policy because if you use this method, you can't logout the session and if you try to access the resource again before the previous session timed-out, you will get a connection failed message.**

¬†

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)