APM Cookbook: AutoLaunch SAML Resources

Introduction

After the SAML labs at Agility I got a lot of questions about how to automatically launch SAML resources and skip the webtop, and I promised I'd write it up for you. If you haven't been to Agility, check it out next year, it's a great event!

Let's say you have a virtual server available at idp.company.com with a webtop and SAML resources on it. Users are complaining that they have to login to the webtop and click the resource they want instead of automatically getting to what they wanted. Fortunately this is easy to solve!

There are two easy ways to automate this and improve your user's experience. In either solution below you'll add the iRule to the virtual server hosting the webtop. You can add additional lines for more matches right below the switch statement just like I've shown on the example. The part that starts with "/saml/idp/res?id=" is a reference to the SAML resource, so it will be the full SAML resource path after that. My example SAML Resource object is named "app1-saml-resource" and is under the default /Common partition. Yours may be under a different partition or iApp container so you can adjust the path accordingly.

URI Based Autolaunch iRule

This solution requires users to specify in the URI which resource they want. In this example, putting idp.company.com/app1 into the address bar will autolaunch the app1 SAML resource.

when ACCESS_POLICY_COMPLETED {
    switch -glob [string tolower [ACCESS::session data get session.server.landinguri]] {
        "/app1" {ACCESS::respond 302 Location "/saml/idp/res?id=/Common/app1-saml-resource"}
    }
}
when ACCESS_ACL_ALLOWED {
    switch -glob [string tolower [HTTP::uri]] {
        "/app1" {ACCESS::respond 302 Location "/saml/idp/res?id=/Common/app1-saml-resource"}
    }
}

Improvement: Hostname Redirects

This improvement enables the user to use an alternate hostname to reach the webtop VS and get redirected to the autolaunching URI. You'll need to have a wildcard or SAN certificate and you can CNAME the new hostname to your original one, idp.company.com. In this example, if the user reaches the webtop by going to app1.company.com then they will be redirected to https://idp.company.com/app1 and get autolaunch. You just add this code to the bottom of the other iRule or place in a separate iRule.

when HTTP_REQUEST {
    switch -glob [string tolower [HTTP::host]] {
        "app1.company.com" { HTTP::redirect "https://idp.company.com/app1" }
    }
}

And that's it!

Published Aug 10, 2016
Version 1.0
BIG-IP Access Policy Manager (APM)
iRules
saml
security
user experience
  • jerebrad_302050's avatar
    jerebrad_302050
    Icon for Nimbostratus rankNimbostratus
    Jan 27, 2017

    Im not sure why, but in order for me to get this to work I had to leave "/app1" set to "/".

     

  • Graham_Alderso1's avatar
    Graham_Alderso1
    Icon for Employee rankEmployee
    Jan 27, 2017

    Are you just going to https://idp.company.com rather than https://idp.company.com/app1? This iRule redirects based on what URI was requested so that you could have multiple options here, so /app1 goes to app1, /app2 could go to app2, etc. You can make an app the default result by using / as one of the options as you have.

     

    It's important then to realize that users will never be able to get to the webtop which might be a problem if you have multiple SAML resources there. If you only have the one, then it makes perfect sense to do that.

     

  • Graham_Alderso1's avatar
    Graham_Alderso1
    Icon for Employee rankEmployee
    Jan 27, 2017

    Another potential option, rather than using a / just use a default option in the switch statement. More details here: https://devcentral.f5.com/s/articles/irules-101-04-switch.

     

    And if you only have the one SAML app and don't need multiple options you can remove the switch statement entirely and just do the redirect in the two events (the when statements). Something like this.

     

    when ACCESS_POLICY_COMPLETED {
    ACCESS::respond 302 Location "/saml/idp/res?id=/Common/app1-saml-resource"
}
when ACCESS_ACL_ALLOWED {
    ACCESS::respond 302 Location "/saml/idp/res?id=/Common/app1-saml-resource"
}
  • jerebrad_302050's avatar
    jerebrad_302050
    Icon for Nimbostratus rankNimbostratus
    Jan 27, 2017

    Thanks for the reply Graham. Currently we only have the one, but there is a potential that we might use the F5 for more SAML connections in the future so I would like to leave it with the multiple options.

     

    We are currently just using idp.company.com insteady of idp.company.com/app1. What would I need to change to use the /app1 model? As I mentioned above I would prefer to use that method in case we do use the F5 for multiple SAML resources.

     

  • Graham_Alderso1's avatar
    Graham_Alderso1
    Icon for Employee rankEmployee
    Jan 27, 2017

    You would change it to /app1 instead of / and have users type idp.company.com/app1 into their browser instead of just idp.company.com. It just keys off the URI match. You can even have both options listed and doing the same thing, that way if they forget the /app1 it will still work for now, but then later when you deploy more SAML apps you would remove the / option so that they get the webtop and can choose what SAML app if they don't select one by URI entry.

     

  • jerebrad_302050's avatar
    jerebrad_302050
    Icon for Nimbostratus rankNimbostratus
    Jan 27, 2017

    Oh I see. I thought there was something I missed in the SAML configuration to get it to do the /app1 in the url.

     

  • Stéphane_PICARD's avatar
    Stéphane_PICARD
    Icon for Nimbostratus rankNimbostratus
    Feb 13, 2017

    Hi Graham and thanks for this interesting article. One question on my side if i may: does this article works only where F5 is IdentityProvider ? My use case here is to use F5 as Service Provider with Identity Provider being a third party. Both are linked though "SAML". Then my users need to access a web application but do not want to go through a webtop. I found a way (thanks to a Virtual Server dedicated to my "web application") but was wondering if your case could also be another way. Hope i am clear enough...

     

    Maybe me understanding where do such link (/saml/idp/res?id=/Common/app1-saml-resource) comes from would help. Would i also be able to have such "SAML resource link" when F5 is Service Provider and not Identity Provider or it does not make sense ?

     

    Thanks a lot

     

  • Graham_Alderso1's avatar
    Graham_Alderso1
    Icon for Employee rankEmployee
    Feb 13, 2017

    Stephane Picard,

     

    This article won't provide any benefit for the Big-IP as SP use case, only Big-IP as IdP.

     

    When Big-IP is acting as a service provider you just need attach to the application's virtual server an access profile with a SAML Auth object. That is where you configure it to act as a SAML SP and redirect to the IdP for authentication automatically with an SP initiated authentication request. It will also accept IdP initiated authentication automatically.

     

    If you just want a link, you could link to however the IdP auto-initiates and IdP initiated authentication, or you could just link to the virtual server with your application and it will automatically start SP initiated authentication if your access profile is setup properly, nothing special needed.

     

  • Clyde's avatar
    Clyde
    Icon for Nimbostratus rankNimbostratus
    Apr 11, 2017

    Graham, thanks for the helpful iRule. One thing I am seeing is that user logs out of the SP, they are also directed to my IDP to logout there. However, it appears the iRule gets hit again and they are just redirected back to the SP with the same SAML assertion. Hope that makes sense. Any ideas?