APM Cookbook: AutoLaunch SAML Resources

Introduction

After the SAML labs at Agility I got a lot of questions about how to automatically launch SAML resources and skip the webtop, and I promised I'd write it up for you. If you haven't been to Agility, check it out next year, it's a great event!

Let's say you have a virtual server available at idp.company.com with a webtop and SAML resources on it. Users are complaining that they have to login to the webtop and click the resource they want instead of automatically getting to what they wanted. Fortunately this is easy to solve!

There are two easy ways to automate this and improve your user's experience. In either solution below you'll add the iRule to the virtual server hosting the webtop. You can add additional lines for more matches right below the switch statement just like I've shown on the example. The part that starts with "/saml/idp/res?id=" is a reference to the SAML resource, so it will be the full SAML resource path after that. My example SAML Resource object is named "app1-saml-resource" and is under the default /Common partition. Yours may be under a different partition or iApp container so you can adjust the path accordingly.

URI Based Autolaunch iRule

This solution requires users to specify in the URI which resource they want. In this example, putting idp.company.com/app1 into the address bar will autolaunch the app1 SAML resource.

when ACCESS_POLICY_COMPLETED {
    switch -glob [string tolower [ACCESS::session data get session.server.landinguri]] {
        "/app1" {ACCESS::respond 302 Location "/saml/idp/res?id=/Common/app1-saml-resource"}
    }
}
when ACCESS_ACL_ALLOWED {
    switch -glob [string tolower [HTTP::uri]] {
        "/app1" {ACCESS::respond 302 Location "/saml/idp/res?id=/Common/app1-saml-resource"}
    }
}

Improvement: Hostname Redirects

This improvement enables the user to use an alternate hostname to reach the webtop VS and get redirected to the autolaunching URI. You'll need to have a wildcard or SAN certificate and you can CNAME the new hostname to your original one, idp.company.com. In this example, if the user reaches the webtop by going to app1.company.com then they will be redirected to https://idp.company.com/app1 and get autolaunch. You just add this code to the bottom of the other iRule or place in a separate iRule.

when HTTP_REQUEST {
    switch -glob [string tolower [HTTP::host]] {
        "app1.company.com" { HTTP::redirect "https://idp.company.com/app1" }
    }
}

And that's it!

Published Aug 10, 2016
Version 1.0
BIG-IP Access Policy Manager (APM)
iRules
saml
security
user experience
  • Graham_Alderso1's avatar
    Graham_Alderso1
    Icon for Employee rankEmployee
    Apr 12, 2017

    If you setup SAML SLO (SAML Single LogOut) then it will log the user out of the APM. As an alternative, you can have the SAML SP send a logged out user to your apm with the URL https://myapmvirtualserver.ccompany.com/vdesk/hangup.php3 and the session will be terminated. Or you could just leave the APM session in place and redirect a logged out user to something else like your website.

     

    If you have auto-login through something like NTLM or Kerberos, then when the user is logged out they may just get logged back in automatically depending on which method above is used, so in that case you might want to write an iRule that intercepts and redirects the user somewhere else after a logout or perhaps anytime the incoming referer header is the logout page of the app, that way they won't just go to /my.policy and then get sent along to the app again.

     

  • Clyde's avatar
    Clyde
    Icon for Nimbostratus rankNimbostratus
    Apr 12, 2017

    Thanks a bunch, Graham. The SP we are working with is able to redirect the user to another URL when they log out of the SP, so I will try just redirecting them to the hangup page in APM. I tested it (by spoofing the redirect) and seems to achieve what you stated. And yes, I am utilizing Kerberos to log the user in automatically, so that is exactly what is happening (/my.policy and logged back into the app).

     

    For the iRule piece you are referencing, I assume one of the examples here is likely what I would need to do if I need to go that route.

     

    [https://devcentral.f5.com/s/articles/irule-security-101-06-http-referer]

     

  • Graham_Alderso1's avatar
    Graham_Alderso1
    Icon for Employee rankEmployee
    Apr 12, 2017

    Yep, I haven't written an iRule that does this yet, but that's the first solution that comes to mind (assuming there's a good Referer header to key off) and you're going down the right path. You'd want to remove the session as well. https://clouddocs.f5.com/api/irules/ACCESS__session.html

     

    Actually, in your case since you can control the redirect URL, maybe the simplest is to just choose something like /mycustomlogout and redirect them there, and then your iRule can just look for that instead of bothering with the Referer header.

     

    Perhaps try this (untested).

     

    when HTTP_REQUEST {
    if { [HTTP::uri] equals "/mycustomlogout"} {
        ACCESS::session remove
        HTTP::redirect "https://mywebsite.com"
    }
}
  • Graham_Alderso1's avatar
    Graham_Alderso1
    Icon for Employee rankEmployee
    Aug 29, 2017

    Juan,

     

    You're in luck, that is already default behavior! In SP initiated the user is sent directly back to the SP with the assertion following policy completion (authentication), they do not see a webtop. It knows what SAML resource to use because it can match the incoming SP initiated authentication request up to the assigned SAML resources.

     

    If you see a webtop when attempting SP initiated, but IdP initiated auth works when the user clicks the webtop link, then there is a misconfiguration at the SP. It's not the IdP configuration because it can successfully perform IdP initiated auth. The SP misconfiguration results in F5 not identifying the request as SP initiated authentication request, so it just shows the webtop. The most common cause is the SP is not redirecting the user to the correct URI (/saml/idp/profile/redirectorpost/sso) or the SAML AuthN request is malformed/not present.

     

  • Peter_Baumann_5's avatar
    Peter_Baumann_5
    Icon for Nimbostratus rankNimbostratus
    Dec 29, 2017

    Just for your information:

     

    It is still the same behavior in v13.1.0.1.

     

    Manual Link:

     

    APM Authentication SSO 13.1

     

    -> "Note: A configuration that allows users to initiate connection from service providers (SPs) only"

     

    So the iRule above is still needed...

     

  • JoeTheFifth's avatar
    JoeTheFifth
    Icon for Altostratus rankAltostratus
    May 16, 2018

    I haven't done much research about this yet but here is what I will be looking into: Use APM as SP and IDP => replace ADFS/WAP Proxy. so configure an sp and and idp on the same bigip and bind them. create two policies (sp policy and idp policy); have two web apps webapp1.domain.com and webapp2.domain.com directed to the sp VS. no webtops no ressources. user puts webapp1.domain.com in his browser and hits the sp vs . sp vs redirects the to idp vs to do ldap auth. idp vs redirectes to the sp vs (webapp2.domain.com) with saml assertion. sp vs policy gets the username drom the saml assertion and does kerberos sso to webapp2.domain.com.

     

    Is this possible with APM version 12 ?

     

    I have already used APM as IDP with adfs and web application proxy to do kcd auth. but I want to get rid of adfs and webapplication proxy.

     

    Thanks.

     

  • Graham_Alderso1's avatar
    Graham_Alderso1
    Icon for Employee rankEmployee
    May 16, 2018

    Yes. That will work.

     

    You should probably pick one of the DNS names to be the one used by the SP in its SAML configuration (webapp1.domain.com or webapp2.domain.com). So no matter what name is used to get to the SP, the one you picked in the SAML config is the one the user will be returned to after auth at the IdP. An alternative option if you must have the user returned to the same DNS name is that you could detect the DNS name, branch in the APM config, and have a different SAML Auth object for each DNS name (and related config).

     

    You'll want to reference the manual for APM as SP and APM as IdP specific to the version you run. There are two ways to deploy APM as IdP, with webtop and one without. With webtop is required if you'll have multiple SPs, but not if you will only have one and want to limit it to ONLY SP initiated auth (meaning you can't go to the IdP first). The article above is about how to deploy with webtop, but have the SAML object autolaunch so the user doesn't see the webtop, which is different.

     

    This guide will help you on the Kerberos setup: https://f5.com/solutions/deployment-guides/kerberos-constrained-delegation-big-ip-v11-v12-apm

     

    Note that it shows client cert auth on the client side and you're using SAML instead, but the setup of the Kerberos Constrained Delegation is the same.

     

    If you need to seek more help, I suggest opening a new thread since this is out of scope for the article above and won't get the same level of notice/attention.

     

  • JoeTheFifth's avatar
    JoeTheFifth
    Icon for Altostratus rankAltostratus
    May 16, 2018

    thanks Graham. I have an sp/idp config to play with now but I'm not getting the expected result. I will start another thread about this configuration. I will need several web applications using the same idp.