SURFsecureID Second Factor Only (SFO) Authentication

Problem this snippet solves: Second Factor Only authentication allows a SP to authenticate only the second factor of a user. With SFO you can add two factor authentication to your institutions appli...
Updated Jun 06, 2023
Version 2.0
BIG-IP Access Policy Manager (APM)
Niels_van_Sluis's avatar
Niels_van_Sluis
Icon for MVP rankMVP
Jan 30, 2018

The frontend virtual server is kind of a wrapper for the virtual server that holds the actual access policy. The reason why this extra virtual server is needed has to do with the internal working of the SAML process that is performed by the access policy. This process will not trigger the HTTP_RESPONSE iRule event, which makes it impossible to intercept and alter the SAML request. However when using this layered virtual server structure, the frontend virtual server that is logically between the backend virtual server and the IDP will trigger the HTTP_RESPONSE iRule event and makes it possible to intercept and alter the SAML request.

 

I hope this clarifies the need for an extra virtual server.