Forum Discussion
SSO Resource Assignment
- Jul 28, 2016
Hi,
You can add an empty box and add branches where you check that session.assigned.resources and session.assigned.webtop are not empty.
Hi,
You can add an empty box and add branches where you check that session.assigned.resources and session.assigned.webtop are not empty.
- Yann_DesmarestJul 28, 2016Cirrus
expression to include in the branch :
expr { !([mcget {session.assigned.webtop}] equals "") && !([mcget {session.assigned.resources}] equals "") }
- MC_273315Jul 28, 2016Cirrus
Thanks, that does work if they are not a member of any SAML resource/WebTop. Do you know of a creative way to show a nice deny page if they match at least 1 SAML resource but not the one they are going to?
Example, they make it through the policy since they have at least 1 SAML resource, however, they did not initiate the SSO connection at this resource. Therefore, it's a page cannot be displayed or a long SSO error. Maybe an irule that captures general SSO failure?
Thanks, Mike
- MC_273315Jul 28, 2016Cirrus
This is the error - SSOv2 Error(16) Unable to find SAML SSO/SP Connector object matching SAML Authn Request.
If I could intercept all (SSOv2 Error)s to redirect to a deny/sorry page, that would work. Testing irule logic now.
- Yann_DesmarestJul 28, 2016Cirrus
Unfortunately, you may encounter this error and the user receive a tcp reset. In v12.1.0, several cases have been fixed but as I said, the best at the moment is to define a datagroup containing allowed SP connectors and trap the SAMLRequest, decode it, retrieve the SAML SP identifier and execute a lookup against the datagroup.
- MC_273315Jul 29, 2016Cirrus
Thanks for the clarification. I'm going to end up using my main SSO VIP as the VIP for all 'everyone' SSO access without group assignment. Then either control user restriction by creating another VIP or handling it at the SP side instead.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com