Forum Discussion
NimbostratusSAML SSO Without a Webtop
NimbostratusI have tried these irules and still unable to get this to work for my environment. When redirected it immediately logs out. I receive a "Authorization failure: Denied request for SAML resource" and "Session deleted due to user logout request." in the log.
when ACCESS_POLICY_COMPLETED {
switch -glob [ACCESS::session data get session.server.landinguri] {
"/mycloudapp*" {
ACCESS::respond 302 Location "https://idp.mycompany.com/saml/idp/res? id=/Common/MYCLOUDAPP"
}
"/proofpoint*" {
ACCESS::respond 302 Location "https://idp.mycompany.com/saml/idp/res? id=/Common/PROOFPOINT"
}
"/businessolver*" {
ACCESS::respond 302 Location "https://idp.mycompany.com/saml/idp/res? id=/Common/BUSINESSOLVER"
}
}
}
and
when HTTP_REQUEST {
if the URI isn't a redirect to an SP resource, and it's an active session - redirect to the SAML SP resource
if { not ( [HTTP::uri] starts_with "/saml/idp/res?id=" ) and ( [HTTP::cookie exists MRHSession] ) and ( [ACCESS::session exists -state_allow -sid [HTTP::cookie value MRHSession]] ) } {
switch [string tolower [HTTP::host]] {
"idp.domain.com" {
HTTP::redirect "/saml/idp/res?id=/Common/idp.domain.com-resource"
}
}
}
}
when ACCESS_POLICY_COMPLETED { redirect to the SAML SP resource switch -glob [string tolower [ACCESS::session data get session.server.network.name]] { "idp.domain.com" { ACCESS::respond 302 Location "/saml/idp/res?id=/Common/idp.domain.com-resource" } } }
jerebrad_302050BM0001
 
A couple of things. Break out the troubleshooting, so leave off the when HTTP_REQUEST until you get the when ACCESS_POLICY_COMPLETED bit working or vice versa.
 
Second take a look at https://devcentral.f5.com/s/articles/apm-cookbook-autolaunch-saml-resources-21377
 
hopefully that will help. I don't think you need to specify the https://idp.mycompany.com in your 302 location statement. Also I think you are missing the -glob statement after your switch under your when HTTP_REQUEST
 
- BM0001_301854
Great thanks the Second option to the link got me going. I used the URI Based Autolaunch iRule and it worked for 1 SP redirect! How would I add additional SP redirects for this irule?
- jerebrad_302050
I'm not 100% sure what you're asking, so Im going to answer what I think you're asking.
You should be able to to just add Hostname redirects for each SP, so for example:
when HTTP_REQUEST { switch -glob [string tolower [HTTP::host]] { "app1.company.com" { HTTP::redirect "https://idp.company.com/app1" "app2.company.com" { HTTP::redirect "https://idp.company.com/app2" "app3.company.com" { HTTP::redirect "https://idp.company.com/app3"} } }etc.
Then in your URI Bases Autolaunch iRule add in the corresponding bits for the new app:
when ACCESS_POLICY_COMPLETED { switch -glob [string tolower [ACCESS::session data get session.server.landinguri]] { "/app1" {ACCESS::respond 302 Location "/saml/idp/res?id=/Common/app1-saml-resource" "/app2" {ACCESS::respond 302 Location "/saml/idp/res?id=/Common/app2-saml-resource" "/app3" {ACCESS::respond 302 Location "/saml/idp/res?id=/Common/app3-saml-resource"} } } when ACCESS_ACL_ALLOWED { switch -glob [string tolower [HTTP::uri]] { "/app1" {ACCESS::respond 302 Location "/saml/idp/res?id=/Common/app1-saml-resource" "/app2" {ACCESS::respond 302 Location "/saml/idp/res?id=/Common/app2-saml-resource" "/app3" {ACCESS::respond 302 Location "/saml/idp/res?id=/Common/app3-saml-resource"} } } - BM0001_301854
Yes that's what I was asking for. I will give a try tomorrow and let you you know how it goes! Thanks for quick response !
