Forum Discussion
Use iRules to validate signed payload
I am working on an Okta implementation for a website behind a BigIP. Note we do NOT have the APM so this is just LTM and any iRules I need to write.
The issue is I receive a message as a posted parameter to the webapp. The field is called SAMLResponse. In Okta, we signed the assertion (SAMLResponse data) with a certificate (all Base64 encoded). I understand the idea of validating a client certificate but the piece that puzzles me is that tall the cert data is in this SAMLResonse variable. So for me to use any iRules statements to deal with the certificate, I presumer I have to load that so I can check various fields.
My thought is something like this:
- I load the Okta certificate they used to sign the SAMLResponse into the BigIP, then I can assign that I have to someone dissect this SAMLResponse parameter to let the BigIP check the items was properly signed. If so, I can pass the identifying data to the BigIp (email in this case).
Am I on the right track? I would appreciate if anyone has done something where they use the BigIP to validate a payload has been signed with the cert and not tampered with.
I know there is plenty of info on Okta and BigIP available, but it all seems centric to the APM. I am really just trying to use the BigIP to validate the data signing versus an SAML provider endpoint as the APM examples illustrate.
Hi Thomas,
Am I on the right track?
Yes you are, but keep in mind that iRule has no buildin commands to parse your SAML data. So you would need to perform all the parsings and verifications manually (e.g. B64 decode, removing deflate compression, XML string parsings and finally dealing with the crypto stuff).
It would be much easier, to jump from your iRule into an iRuleLX name space and do this stuff with NodeJS. NodeJS has much more functionality when it comes so SAML, Deflate, XML etc.
Cheers, Kai
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com