APM SAML IdP - SP Issuer Extraction

Problem this snippet solves:

APM doesn't expose any detail about the SAML SP Issuer when authentication requests hitting APM as an IdP during an SP initiated SAMLRequest. This iRule when applied to a SAML IdP enabled virtual server will extract the assertion request, decode it and present the SAML SP Issuer ID as the session variable %{session.saml.request.issuer} within APM.

How to use this snippet:

This comes in real handy when performing authorisation of the resource and could help avoid having APM perform a TCP connection reset when a SAML resource isn't authorised.

Code :

when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
if { [HTTP::path] equals "/saml/idp/profile/redirectorpost/sso" } {
if { [HTTP::method] equals "POST" } {
# Colelct POST data
set content_length [HTTP::header value Content-Length]
HTTP::collect $content_length
} elseif { [HTTP::method] equals "GET" } {
#TODO
}
}
}
when HTTP_REQUEST_DATA {

set payload_data [URI::decode [HTTP::payload]]

    log local0. "payload=[URI::query "?$payload_data" "SAMLRequest"]" 
if { $payload_data contains "SAMLRequest" } {
# Extract SAML request data
set SAMLdata [b64decode [URI::query "?$payload_data" "SAMLRequest"]]

set SAML_Issuer_loc [string first "saml:issuer" [string tolower $SAMLdata]]
set SAML_Issuer_start [expr {[string first ">" $SAMLdata $SAML_Issuer_loc] + 1}]
set SAML_Issuer_end [expr {[string first "<" $SAMLdata $SAML_Issuer_start] - 1}]
set SAML_Issuer [string range $SAMLdata $SAML_Issuer_start $SAML_Issuer_end]

if { !([ACCESS::session sid] equals "" ) } {
ACCESS::session data set session.saml.request.issuer $SAML_Issuer
}
}

}
when ACCESS_SESSION_STARTED {
if { [info exists SAML_Issuer] } {
ACCESS::session data set session.saml.request.issuer $SAML_Issuer
}
}

Tested this on version:

11.6
Published Apr 06, 2016
Version 1.0

Was this article helpful?

7 Comments

  • I would like to note that BIG-IP 13.1 friendly messages are displayed when SAML resources are denied.

     

    Message: "Access to requested SAML resource is denied."

     

  • Hi Nobby,

     

    thank you very much! This works like charm in v13 as well and helped me a lot.

     

    Cheers, svs

     

  • Brian's avatar
    Brian
    Icon for Nimbostratus rankNimbostratus

    Any possibility of getting the GET method solution?

     

  • What do you mean? Redirect Binding? Just try to fetch the Request by extracting the URL parameter using HTTP::query i.e. There are a bunch of examples for extracting URL parameters on DevCentral.

     

  • you can't deflate in an irule (that I know of)

     

    You need to urldecode, deflate & base64decode when the SAML SP uses Redirect Binding

     

    I used this to get started and then found out I needed deflate.

     

    set get_payload_data [b64decode [URI::decode [URI::query [HTTP::uri] SAMLRequest]]]

     

    Also, I needed to update the original irule here because some SP's Auth request looked like this..

     

    saml2:issuer

     

    .. which didn't match so I changed to..

     

    set SAML_Issuer_loc [string first ":issuer" [string tolower $SAMLdata]]

     

  • Hello Nobby.

    Thanks for sharing very usefull.

    I used it on for Azure Office 365 Integration but I adapt it a little bit because the SAML Request does not contain "saml:issuer"

    but instead "<issuer" so I have change the following line

    set SAML_Issuer_loc [string first "saml:issuer" [string tolower $SAMLdata]]

    by the following line

    set SAML_Issuer_loc [string first "<issuer" [string tolower $SAMLdata]]

    After that, I was able to extract the SAML SP "Issuer" value.

    Regards

  • ebeng's avatar
    ebeng
    Icon for Nimbostratus rankNimbostratus

    Did someone ever figured out the part with the GET part, where the SSO SAML is initiated with a HTTP GET?

    Also has someone got an idea, once the response is signed, how can we see this content? even with SAML-Tracer I'm not able to decode the base64encoded SAMLRequest string to something readable, but the tool itself can read the SAMLRequest.