Forum Discussion

Rabbit23_116296's avatar
Icon for Nimbostratus rankNimbostratus
Jun 20, 2014

SAML to Workday - Deep Linking

We would like to provide deep links to business to maintain links at the service provider while going through the SAML authentication process.

IdP initiated works just fine (i had to put a redirect location iRule to the webtop link to get this to do an unsolicited SAML assertion post to the Service Provider).

Herein lies my challenge, Workday being the service provider does not formulate a standard AuthN request which ofcourse the APM module wont know what to do with. Instead this is what it does:

Workday assists in this by appending the requested (deep-link) URL as a GET URL parameter (similarly, named done), to the URL for the IdP, when it redirects for sign on. i.e. the user clicks the deeplink in their email, their browser navigates to Workday, which in turn redirects to the IdP sign on page. That redirect navigates their browser to the IdP sign on page, with a GET parameter named done, appended, set to the value of the ultimate deep link URL. https://customers.identity.provider/sign-on-page.html?done= NAME/fx/task/2997$194.flex The customers’ IdP package logic must be developed or configured to observe this done parameter and be sure to pass it back to Workday, as an identically name POST variable, when POSTing the SAMLRequest assertion.

So I could capture the query string payload in an iRule but posting it back? The webtop iRule is already somewhat of a hack and not true Identity Provider initiated SSO, how could I manipulate the Webtop link is really what I'm asking I think?

The Irule I currently use to redirect to the webtop link is in a switch statement:

HTTP::redirect ""

I need to somehow manipulate how I post back to the assertion consumer service URL, any ideas?

3 Replies

  • kunjan's avatar
    Icon for Nimbostratus rankNimbostratus

    May be can explore, creating a layered virtual server for the SP connector and use iRule to modify the POST payload to insert the POST parameter required.


  • Rabbit, did you ever come up with a solution to this? The inability to dynamically assign Assertion Consumer Service URLs or POST parameters is becoming a hangup for several of our implementations as well


  • This is a similar solution, on 11.5.4, that we were able to come up with: