APM SAML IdP - SP Issuer Extraction

Nobby · ‎06-Apr-2016

Problem this snippet solves:

APM doesn't expose any detail about the SAML SP Issuer when authentication requests hitting APM as an IdP during an SP initiated SAMLRequest. This iRule when applied to a SAML IdP enabled virtual server will extract the assertion request, decode it and present the SAML SP Issuer ID as the session variable %{session.saml.request.issuer} within APM.

How to use this snippet:

This comes in real handy when performing authorisation of the resource and could help avoid having APM perform a TCP connection reset when a SAML resource isn't authorised.

Code :

when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
if { [HTTP::path] equals "/saml/idp/profile/redirectorpost/sso" } {
if { [HTTP::method] equals "POST" } {
# Colelct POST data
set content_length [HTTP::header value Content-Length]
HTTP::collect $content_length
} elseif { [HTTP::method] equals "GET" } {
#TODO
}
}
}
when HTTP_REQUEST_DATA {

set payload_data [URI::decode [HTTP::payload]]

    log local0. "payload=[URI::query "?$payload_data" "SAMLRequest"]" 
if { $payload_data contains "SAMLRequest" } {
# Extract SAML request data
set SAMLdata [b64decode [URI::query "?$payload_data" "SAMLRequest"]]

set SAML_Issuer_loc [string first "saml:issuer" [string tolower $SAMLdata]]
set SAML_Issuer_start [expr {[string first ">" $SAMLdata $SAML_Issuer_loc] + 1}]
set SAML_Issuer_end [expr {[string first "<" $SAMLdata $SAML_Issuer_start] - 1}]
set SAML_Issuer [string range $SAMLdata $SAML_Issuer_start $SAML_Issuer_end]

if { !([ACCESS::session sid] equals "" ) } {
ACCESS::session data set session.saml.request.issuer $SAML_Issuer
}
}

}
when ACCESS_SESSION_STARTED {
if { [info exists SAML_Issuer] } {
ACCESS::session data set session.saml.request.issuer $SAML_Issuer
}
}

Tested this on version:

11.6

Walter_Kacynski · ‎25-Jan-2018

I would like to note that BIG-IP 13.1 friendly messages are displayed when SAML resources are denied.

Message: "Access to requested SAML resource is denied."

svs · ‎19-Mar-2018

Hi Nobby,

thank you very much! This works like charm in v13 as well and helped me a lot.

Cheers, svs

Brian · ‎14-Sep-2018

Any possibility of getting the GET method solution?

svs · ‎15-Sep-2018

What do you mean? Redirect Binding? Just try to fetch the Request by extracting the URL parameter using HTTP::query i.e. There are a bunch of examples for extracting URL parameters on DevCentral.

Kris__109062 · ‎17-Sep-2018

you can't deflate in an irule (that I know of)

You need to urldecode, deflate & base64decode when the SAML SP uses Redirect Binding

I used this to get started and then found out I needed deflate.

set get_payload_data [b64decode [URI::decode [URI::query [HTTP::uri] SAMLRequest]]]

Also, I needed to update the original irule here because some SP's Auth request looked like this..

saml2:issuer

.. which didn't match so I changed to..

set SAML_Issuer_loc [string first ":issuer" [string tolower $SAMLdata]]

Jad_Tabbara__J1 · ‎11-Sep-2019

Hello Nobby.

Thanks for sharing very usefull.

I used it on for Azure Office 365 Integration but I adapt it a little bit because the SAML Request does not contain "saml:issuer"

but instead "<issuer" so I have change the following line

set SAML_Issuer_loc [string first "saml:issuer" [string tolower $SAMLdata]]

by the following line

set SAML_Issuer_loc [string first "<issuer" [string tolower $SAMLdata]]

After that, I was able to extract the SAML SP "Issuer" value.

Regards

ebeng · ‎19-Nov-2021

Did someone ever figured out the part with the GET part, where the SSO SAML is initiated with a HTTP GET?

Also has someone got an idea, once the response is signed, how can we see this content? even with SAML-Tracer I'm not able to decode the base64encoded SAMLRequest string to something readable, but the tool itself can read the SAMLRequest.