APM SAML IdP - SP Issuer Extraction
Problem this snippet solves:
APM doesn't expose any detail about the SAML SP Issuer when authentication requests hitting APM as an IdP during an SP initiated SAMLRequest. This iRule when applied to a SAML IdP enabled virtual server will extract the assertion request, decode it and present the SAML SP Issuer ID as the session variable %{session.saml.request.issuer} within APM.
How to use this snippet:
This comes in real handy when performing authorisation of the resource and could help avoid having APM perform a TCP connection reset when a SAML resource isn't authorised.
Code :
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
if { [HTTP::path] equals "/saml/idp/profile/redirectorpost/sso" } {
if { [HTTP::method] equals "POST" } {
# Colelct POST data
set content_length [HTTP::header value Content-Length]
HTTP::collect $content_length
} elseif { [HTTP::method] equals "GET" } {
#TODO
}
}
}
when HTTP_REQUEST_DATA {
set payload_data [URI::decode [HTTP::payload]]
log local0. "payload=[URI::query "?$payload_data" "SAMLRequest"]"
if { $payload_data contains "SAMLRequest" } {
# Extract SAML request data
set SAMLdata [b64decode [URI::query "?$payload_data" "SAMLRequest"]]
set SAML_Issuer_loc [string first "saml:issuer" [string tolower $SAMLdata]]
set SAML_Issuer_start [expr {[string first ">" $SAMLdata $SAML_Issuer_loc] + 1}]
set SAML_Issuer_end [expr {[string first "<" $SAMLdata $SAML_Issuer_start] - 1}]
set SAML_Issuer [string range $SAMLdata $SAML_Issuer_start $SAML_Issuer_end]
if { !([ACCESS::session sid] equals "" ) } {
ACCESS::session data set session.saml.request.issuer $SAML_Issuer
}
}
}
when ACCESS_SESSION_STARTED {
if { [info exists SAML_Issuer] } {
ACCESS::session data set session.saml.request.issuer $SAML_Issuer
}
}Tested this on version:
11.6
NimbostratusNimbostratus7 Comments
- Walter_Kacynski
Cirrostratus
I would like to note that BIG-IP 13.1 friendly messages are displayed when SAML resources are denied.
Message: "Access to requested SAML resource is denied."
- svs
Hi Nobby,
thank you very much! This works like charm in v13 as well and helped me a lot.
Cheers, svs
BrianAny possibility of getting the GET method solution?
- svs
What do you mean? Redirect Binding? Just try to fetch the Request by extracting the URL parameter using HTTP::query i.e. There are a bunch of examples for extracting URL parameters on DevCentral.
- Kris__109062
you can't deflate in an irule (that I know of)
You need to urldecode, deflate & base64decode when the SAML SP uses Redirect Binding
I used this to get started and then found out I needed deflate.
set get_payload_data [b64decode [URI::decode [URI::query [HTTP::uri] SAMLRequest]]]
Also, I needed to update the original irule here because some SP's Auth request looked like this..
saml2:issuer
.. which didn't match so I changed to..
set SAML_Issuer_loc [string first ":issuer" [string tolower $SAMLdata]]
Jad_Tabbara__J1Hello Nobby.
Thanks for sharing very usefull.
I used it on for Azure Office 365 Integration but I adapt it a little bit because the SAML Request does not contain "saml:issuer"
but instead "<issuer" so I have change the following line
set SAML_Issuer_loc [string first "saml:issuer" [string tolower $SAMLdata]]by the following line
set SAML_Issuer_loc [string first "<issuer" [string tolower $SAMLdata]]After that, I was able to extract the SAML SP "Issuer" value.
Regards
ebengDid someone ever figured out the part with the GET part, where the SSO SAML is initiated with a HTTP GET?
Also has someone got an idea, once the response is signed, how can we see this content? even with SAML-Tracer I'm not able to decode the base64encoded SAMLRequest string to something readable, but the tool itself can read the SAMLRequest.
