APM Cookbook: AutoLaunch SAML Resources

Introduction

After the SAML labs at Agility I got a lot of questions about how to automatically launch SAML resources and skip the webtop, and I promised I'd write it up for you. If you haven't been to Agility, check it out next year, it's a great event!

Let's say you have a virtual server available at idp.company.com with a webtop and SAML resources on it. Users are complaining that they have to login to the webtop and click the resource they want instead of automatically getting to what they wanted. Fortunately this is easy to solve!

There are two easy ways to automate this and improve your user's experience. In either solution below you'll add the iRule to the virtual server hosting the webtop. You can add additional lines for more matches right below the switch statement just like I've shown on the example. The part that starts with "/saml/idp/res?id=" is a reference to the SAML resource, so it will be the full SAML resource path after that. My example SAML Resource object is named "app1-saml-resource" and is under the default /Common partition. Yours may be under a different partition or iApp container so you can adjust the path accordingly.

URI Based Autolaunch iRule

This solution requires users to specify in the URI which resource they want. In this example, putting idp.company.com/app1 into the address bar will autolaunch the app1 SAML resource.

when ACCESS_POLICY_COMPLETED {
    switch -glob [string tolower [ACCESS::session data get session.server.landinguri]] {
        "/app1" {ACCESS::respond 302 Location "/saml/idp/res?id=/Common/app1-saml-resource"}
    }
}
when ACCESS_ACL_ALLOWED {
    switch -glob [string tolower [HTTP::uri]] {
        "/app1" {ACCESS::respond 302 Location "/saml/idp/res?id=/Common/app1-saml-resource"}
    }
}

Improvement: Hostname Redirects

This improvement enables the user to use an alternate hostname to reach the webtop VS and get redirected to the autolaunching URI. You'll need to have a wildcard or SAN certificate and you can CNAME the new hostname to your original one, idp.company.com. In this example, if the user reaches the webtop by going to app1.company.com then they will be redirected to https://idp.company.com/app1 and get autolaunch. You just add this code to the bottom of the other iRule or place in a separate iRule.

when HTTP_REQUEST {
    switch -glob [string tolower [HTTP::host]] {
        "app1.company.com" { HTTP::redirect "https://idp.company.com/app1" }
    }
}

And that's it!

Published Aug 10, 2016
Version 1.0
BIG-IP Access Policy Manager (APM)
iRules
saml
security
user experience
  • jerebrad_302050's avatar
    jerebrad_302050
    Icon for Nimbostratus rankNimbostratus
    Jan 27, 2017

    Oh I see. I thought there was something I missed in the SAML configuration to get it to do the /app1 in the url.

     

  • Graham_Alderso1's avatar
    Graham_Alderso1
    Icon for Employee rankEmployee
    Jan 27, 2017

    You would change it to /app1 instead of / and have users type idp.company.com/app1 into their browser instead of just idp.company.com. It just keys off the URI match. You can even have both options listed and doing the same thing, that way if they forget the /app1 it will still work for now, but then later when you deploy more SAML apps you would remove the / option so that they get the webtop and can choose what SAML app if they don't select one by URI entry.

     

  • jerebrad_302050's avatar
    jerebrad_302050
    Icon for Nimbostratus rankNimbostratus
    Jan 27, 2017

    Thanks for the reply Graham. Currently we only have the one, but there is a potential that we might use the F5 for more SAML connections in the future so I would like to leave it with the multiple options.

     

    We are currently just using idp.company.com insteady of idp.company.com/app1. What would I need to change to use the /app1 model? As I mentioned above I would prefer to use that method in case we do use the F5 for multiple SAML resources.

     

  • Graham_Alderso1's avatar
    Graham_Alderso1
    Icon for Employee rankEmployee
    Jan 27, 2017

    Another potential option, rather than using a / just use a default option in the switch statement. More details here: https://devcentral.f5.com/s/articles/irules-101-04-switch.

     

    And if you only have the one SAML app and don't need multiple options you can remove the switch statement entirely and just do the redirect in the two events (the when statements). Something like this.

     

    when ACCESS_POLICY_COMPLETED {
    ACCESS::respond 302 Location "/saml/idp/res?id=/Common/app1-saml-resource"
}
when ACCESS_ACL_ALLOWED {
    ACCESS::respond 302 Location "/saml/idp/res?id=/Common/app1-saml-resource"
}
  • Graham_Alderso1's avatar
    Graham_Alderso1
    Icon for Employee rankEmployee
    Jan 27, 2017

    Are you just going to https://idp.company.com rather than https://idp.company.com/app1? This iRule redirects based on what URI was requested so that you could have multiple options here, so /app1 goes to app1, /app2 could go to app2, etc. You can make an app the default result by using / as one of the options as you have.

     

    It's important then to realize that users will never be able to get to the webtop which might be a problem if you have multiple SAML resources there. If you only have the one, then it makes perfect sense to do that.

     

  • jerebrad_302050's avatar
    jerebrad_302050
    Icon for Nimbostratus rankNimbostratus
    Jan 27, 2017

    Im not sure why, but in order for me to get this to work I had to leave "/app1" set to "/".