SSO Resource Assignment

expression to include in the branch :

expr { !([mcget {session.assigned.webtop}] equals "") && !([mcget {session.assigned.resources}] equals "") }

Thanks, that does work if they are not a member of any SAML resource/WebTop. Do you know of a creative way to show a nice deny page if they match at least 1 SAML resource but not the one they are going to?

Example, they make it through the policy since they have at least 1 SAML resource, however, they did not initiate the SSO connection at this resource. Therefore, it's a page cannot be displayed or a long SSO error. Maybe an irule that captures general SSO failure?

Thanks, Mike

This is the error - SSOv2 Error(16) Unable to find SAML SSO/SP Connector object matching SAML Authn Request.

If I could intercept all (SSOv2 Error)s to redirect to a deny/sorry page, that would work. Testing irule logic now.

Unfortunately, you may encounter this error and the user receive a tcp reset. In v12.1.0, several cases have been fixed but as I said, the best at the moment is to define a datagroup containing allowed SP connectors and trap the SAMLRequest, decode it, retrieve the SAML SP identifier and execute a lookup against the datagroup.

Thanks for the clarification. I'm going to end up using my main SSO VIP as the VIP for all 'everyone' SSO access without group assignment. Then either control user restriction by creating another VIP or handling it at the SP side instead.