APM Cookbook: AutoLaunch SAML Resources

Introduction

After the SAML labs at Agility I got a lot of questions about how to automatically launch SAML resources and skip the webtop, and I promised I'd write it up for you. If you haven't been to Agility, check it out next year, it's a great event!

Let's say you have a virtual server available at idp.company.com with a webtop and SAML resources on it. Users are complaining that they have to login to the webtop and click the resource they want instead of automatically getting to what they wanted. Fortunately this is easy to solve!

There are two easy ways to automate this and improve your user's experience. In either solution below you'll add the iRule to the virtual server hosting the webtop. You can add additional lines for more matches right below the switch statement just like I've shown on the example. The part that starts with "/saml/idp/res?id=" is a reference to the SAML resource, so it will be the full SAML resource path after that. My example SAML Resource object is named "app1-saml-resource" and is under the default /Common partition. Yours may be under a different partition or iApp container so you can adjust the path accordingly.

URI Based Autolaunch iRule

This solution requires users to specify in the URI which resource they want. In this example, putting idp.company.com/app1 into the address bar will autolaunch the app1 SAML resource.

when ACCESS_POLICY_COMPLETED {
    switch -glob [string tolower [ACCESS::session data get session.server.landinguri]] {
        "/app1" {ACCESS::respond 302 Location "/saml/idp/res?id=/Common/app1-saml-resource"}
    }
}
when ACCESS_ACL_ALLOWED {
    switch -glob [string tolower [HTTP::uri]] {
        "/app1" {ACCESS::respond 302 Location "/saml/idp/res?id=/Common/app1-saml-resource"}
    }
}

Improvement: Hostname Redirects

This improvement enables the user to use an alternate hostname to reach the webtop VS and get redirected to the autolaunching URI. You'll need to have a wildcard or SAN certificate and you can CNAME the new hostname to your original one, idp.company.com. In this example, if the user reaches the webtop by going to app1.company.com then they will be redirected to https://idp.company.com/app1 and get autolaunch. You just add this code to the bottom of the other iRule or place in a separate iRule.

when HTTP_REQUEST {
    switch -glob [string tolower [HTTP::host]] {
        "app1.company.com" { HTTP::redirect "https://idp.company.com/app1" }
    }
}

And that's it!

Published Aug 10, 2016

Version 1.0

BIG-IP Access Policy Manager (APM)

26 Comments

Graham_Alderso1
Employee
May 16, 2018
OK, then you'll need to deploy the webtop and resources since you'll bind to multiple SPs. Fortunately when you use SP initiated auth as you described (user starts by going directly to the SP and it redirects), they won't see the webtop at the IdP anyway, it just automatically sends them back to the SP after auth. They only see the webtop if they start by going to the IdP. This article shows how to make the user not see the webtop even if they go directly to the IdP, which might be useful, but probably not in your circumstance.

Good luck!
JoeTheFifth
Altostratus
May 16, 2018
I got that. I did some tests. 1 SP => VS + policy: Saml Auth (idp) => variable assign (saml attribute to username) => sso kerberos 1 Idp => VS+ Policy: logon page => Allow. This ends in a saml/idp/profile/redirectorpost/sso error page. I added a saml ressource and this ends in a policy deny page. I understand the saml ressource is required but I don't see the link between the saml ressource and my web app. I didn't configure a portal or a webtop. I expect the redirect to my webapp after the saml auth (dp) step. I have already used apm as idp with adfs without issues. I do use apm with sun ldap to ms kerberos without issues. I guess I'm missing the saml ressource config/role here. I'll have to dig a little deeper in the config manual.
JoeTheFifth
Altostratus
May 16, 2018
ok got it working with a saml ressource. SP VS is mywebapp1.domain.com. Simplest way is to create a second SP with a second VS for mywebapp2.domain.com both SPs can be linked to the same IDP. OR use a portal and webtops. Or Do some voodoo in the SP apm policy to manage all the web app hostnames...
Marvin
Cirrocumulus
Mar 12, 2019
If I understood correctly this SAML IDP initiated solution provides SSO access to all external SAML resources with only a Single Login on the F5 IDP (IDP initiated), without having to login and authenticate to each SP (and F5 IDP) separately?

Technically this use case scenario would only work with IDP initiated combined with SAML resources and not with SP initiated SAML (no webtop and no SAML resources)? Is it possible to automatically send SAML responses to all the Service Providers with a single SP initiated login as well? Something similar to the Single Log Out (SLO) but then logging in for SP initiated SAML requests is that feasible in your opinion?

But again my guts tell me that the only solution that would fit this use case is IDP initiated, correct?

ps: perhaps the oauth integration delivers more flexibility with oauth bearer but I will have to do some labs at Agility 2019 to practice on this ;-)
Graham_Alderso1
Employee
Mar 12, 2019
Marvin, when doing SP initiated, the auth request already identifies what app to redirect the user to and that happens natively, so the solution is not relevant for SP initiated problems.

As for your question about automatically sending SAML responses to every SP upon an SP initiated auth to any one of them (or for that matter, upon launching the webtop for IdP initiated), it's not something most environments would want but you may have a good use case. Theoretically it's possible, you could use this as example code to start from, and you'd have to make sure you launch a new tab for every one of those SPs. It would be definitely solving a different problem than this code, so I'd suggest that this work should happen/be published under a new article. If you take it on, be sure to comment back here linking to your new article so we can see the great solution! As you build that solution, remember that when publishing apps on a webtop for IdP initiated, SP initiated also automatically works in that same deployment.
JamesRiggs
Nimbostratus
Jul 30, 2019
Did an update cause this to stop working? I used this a while back to link directly to SAML resouces with mixed results. Back buttons on browsers would cause weird behavior (sometimes going back inside the remote application as expected, sometimes going back to the APM logon screen, sometimes to an error from APM). The project that prompted us to try the iRule fizzled out for a while, but it has just picked up steam again. Now when I try to use one of these resources directly from the links created, i end up on a "vdesk/hangup.php3" logout screen. APM logs show an authorization failure for the SAML resource. That SAML resource is assigned to my user in the APM Policy for the webtop with which it is associated. If I log on to the webtop, i can click the link there and it works like a champ. Immediately after the SAML resource auth failure in the APM logs is a "user logout request", which I assume is the reason for the hangup screen. I would call support, but they pointed out on a previous call (i was using CamElCaSe on a string that had been lower-cased... duh) that they wouldn't be able to provide support on a user created script... If it is still working for others, we may have something gone a little sideways in APM that needs other attention, but I'm not seeing odd behavior with anything else.
Thanks!