IdP Discovery for IdP Initiated SAML

Problem this snippet solves:

This iRule enables IdP discovery for IdP initiated SAML for v12 and earlier. In v13 and later this is not necessary because IdP discovery for IdP initiated SAML happens by Issuer match in the assertion. IdP discovery is only needed if you have APM acting as SP and have bound multiple IdPs to it.

How to use this snippet:

Apply this iRule to the virtual server acting as a SAML SP. Set your matching criteria in the bindings, the iRule assumes session.server.landinguri is used, change as needed if you used something else.

You must create a datagroup named saml-idp-matching, string type. The string is the referer header in the SAML assertion sent to /saml/sp/profile/post/acs. The value is the matching criteria used in the binding (ie: the landinguri used for SP initiated).

Example datagroup entry:

Example SAML binding:

Code :

#This iRule enables IdP discovery for IdP initiated SAML
#This iRule is unnecessary in v13 and later because IdP discovery in IdP initiated SAML happens automatically by issuer ID in the SAML assertion.
#You must create the saml-idp-matching datagroup for the lookup, string type, string is the referer URL and value is the matching criteria
#You are assumed to be using session.server.landinguri as the matching criteria, if not, change it below
when ACCESS_SESSION_STARTED {
    #Check if this request should contain a SAML assertion
    if { ( [HTTP::uri] equals "/saml/sp/profile/post/acs" ) and ( [HTTP::method] equals "POST" ) } {

        #Look up the referer URL in a datagroup and get the matching value
        set matching [class match -value -- [HTTP::header value Referer] equals saml-idp-matching]

        #Set that value as the value for the session variable used for IdP discovery
        ACCESS::session data set session.server.landinguri $matching
    }
}

Tested this on version: