CodeShare
Have some code. Share some code.
cancel
Showing results for 
Search instead for 
Did you mean: 
Nobby
Nimbostratus
Nimbostratus

Problem this snippet solves:

APM doesn't expose any detail about the SAML SP Issuer when authentication requests hitting APM as an IdP during an SP initiated SAMLRequest. This iRule when applied to a SAML IdP enabled virtual server will extract the assertion request, decode it and present the SAML SP Issuer ID as the session variable %{session.saml.request.issuer} within APM.

How to use this snippet:

This comes in real handy when performing authorisation of the resource and could help avoid having APM perform a TCP connection reset when a SAML resource isn't authorised.

Code :

when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
if { [HTTP::path] equals "/saml/idp/profile/redirectorpost/sso" } {
if { [HTTP::method] equals "POST" } {
# Colelct POST data
set content_length [HTTP::header value Content-Length]
HTTP::collect $content_length
} elseif { [HTTP::method] equals "GET" } {
#TODO
}
}
}
when HTTP_REQUEST_DATA {

set payload_data [URI::decode [HTTP::payload]]

    log local0. "payload=[URI::query "?$payload_data" "SAMLRequest"]" 
if { $payload_data contains "SAMLRequest" } {
# Extract SAML request data
set SAMLdata [b64decode [URI::query "?$payload_data" "SAMLRequest"]]

set SAML_Issuer_loc [string first "saml:issuer" [string tolower $SAMLdata]]
set SAML_Issuer_start [expr {[string first ">" $SAMLdata $SAML_Issuer_loc] + 1}]
set SAML_Issuer_end [expr {[string first "<" $SAMLdata $SAML_Issuer_start] - 1}]
set SAML_Issuer [string range $SAMLdata $SAML_Issuer_start $SAML_Issuer_end]

if { !([ACCESS::session sid] equals "" ) } {
ACCESS::session data set session.saml.request.issuer $SAML_Issuer
}
}

}
when ACCESS_SESSION_STARTED {
if { [info exists SAML_Issuer] } {
ACCESS::session data set session.saml.request.issuer $SAML_Issuer
}
}

Tested this on version:

11.6
Comments
Walter_Kacynski
Cirrostratus
Cirrostratus

I would like to note that BIG-IP 13.1 friendly messages are displayed when SAML resources are denied.

 

Message: "Access to requested SAML resource is denied."

 

svs
Altocumulus
Altocumulus

Hi Nobby,

 

thank you very much! This works like charm in v13 as well and helped me a lot.

 

Cheers, svs

 

Brian
Nimbostratus
Nimbostratus

Any possibility of getting the GET method solution?

 

svs
Altocumulus
Altocumulus

What do you mean? Redirect Binding? Just try to fetch the Request by extracting the URL parameter using HTTP::query i.e. There are a bunch of examples for extracting URL parameters on DevCentral.

 

Kris__109062
Nimbostratus
Nimbostratus

you can't deflate in an irule (that I know of)

 

You need to urldecode, deflate & base64decode when the SAML SP uses Redirect Binding

 

I used this to get started and then found out I needed deflate.

 

set get_payload_data [b64decode [URI::decode [URI::query [HTTP::uri] SAMLRequest]]]

 

Also, I needed to update the original irule here because some SP's Auth request looked like this..

 

saml2:issuer

 

.. which didn't match so I changed to..

 

set SAML_Issuer_loc [string first ":issuer" [string tolower $SAMLdata]]

 

Jad_Tabbara__J1
Cirrostratus
Cirrostratus

Hello Nobby.

Thanks for sharing very usefull.

I used it on for Azure Office 365 Integration but I adapt it a little bit because the SAML Request does not contain "saml:issuer"

but instead "<issuer" so I have change the following line

set SAML_Issuer_loc [string first "saml:issuer" [string tolower $SAMLdata]]

by the following line

set SAML_Issuer_loc [string first "<issuer" [string tolower $SAMLdata]]

After that, I was able to extract the SAML SP "Issuer" value.

Regards

ebeng
Nimbostratus
Nimbostratus

Did someone ever figured out the part with the GET part, where the SSO SAML is initiated with a HTTP GET?

Also has someone got an idea, once the response is signed, how can we see this content? even with SAML-Tracer I'm not able to decode the base64encoded SAMLRequest string to something readable, but the tool itself can read the SAMLRequest.

Version history
Last update:
‎06-Apr-2016 16:00
Updated by:
Contributors