Forum Discussion

MC_273315's avatar
MC_273315
Icon for Cirrus rankCirrus
Jul 27, 2016

SSO Resource Assignment

I recently have multiple SP SSO connections working in the same Access Profile. This works as the user navigates to whichever resource they are requesting. The SAML resources are valued in 'LDAP Grou...
BIG-IP Access Policy Manager (APM)
security
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Jul 28, 2016

    Hi,

     

    You can add an empty box and add branches where you check that session.assigned.resources and session.assigned.webtop are not empty.

     

Yann_Desmarest's avatar
Yann_Desmarest
Icon for Cirrus rankCirrus

Hi,

 

You can add an empty box and add branches where you check that session.assigned.resources and session.assigned.webtop are not empty.

 

MC_273315's avatar
MC_273315
Icon for Cirrus rankCirrus
Jul 28, 2016

Thanks, that does work if they are not a member of any SAML resource/WebTop. Do you know of a creative way to show a nice deny page if they match at least 1 SAML resource but not the one they are going to?

 

Example, they make it through the policy since they have at least 1 SAML resource, however, they did not initiate the SSO connection at this resource. Therefore, it's a page cannot be displayed or a long SSO error. Maybe an irule that captures general SSO failure?

 

Thanks, Mike