APM Cookbook: AutoLaunch SAML Resources

Introduction

After the SAML labs at Agility I got a lot of questions about how to automatically launch SAML resources and skip the webtop, and I promised I'd write it up for you. If you haven't been to Agility, check it out next year, it's a great event!

Let's say you have a virtual server available at idp.company.com with a webtop and SAML resources on it. Users are complaining that they have to login to the webtop and click the resource they want instead of automatically getting to what they wanted. Fortunately this is easy to solve!

There are two easy ways to automate this and improve your user's experience. In either solution below you'll add the iRule to the virtual server hosting the webtop. You can add additional lines for more matches right below the switch statement just like I've shown on the example. The part that starts with "/saml/idp/res?id=" is a reference to the SAML resource, so it will be the full SAML resource path after that. My example SAML Resource object is named "app1-saml-resource" and is under the default /Common partition. Yours may be under a different partition or iApp container so you can adjust the path accordingly.

URI Based Autolaunch iRule

This solution requires users to specify in the URI which resource they want. In this example, putting idp.company.com/app1 into the address bar will autolaunch the app1 SAML resource.

when ACCESS_POLICY_COMPLETED {
    switch -glob [string tolower [ACCESS::session data get session.server.landinguri]] {
        "/app1" {ACCESS::respond 302 Location "/saml/idp/res?id=/Common/app1-saml-resource"}
    }
}
when ACCESS_ACL_ALLOWED {
    switch -glob [string tolower [HTTP::uri]] {
        "/app1" {ACCESS::respond 302 Location "/saml/idp/res?id=/Common/app1-saml-resource"}
    }
}

Improvement: Hostname Redirects

This improvement enables the user to use an alternate hostname to reach the webtop VS and get redirected to the autolaunching URI. You'll need to have a wildcard or SAN certificate and you can CNAME the new hostname to your original one, idp.company.com. In this example, if the user reaches the webtop by going to app1.company.com then they will be redirected to https://idp.company.com/app1 and get autolaunch. You just add this code to the bottom of the other iRule or place in a separate iRule.

when HTTP_REQUEST {
    switch -glob [string tolower [HTTP::host]] {
        "app1.company.com" { HTTP::redirect "https://idp.company.com/app1" }
    }
}

And that's it!

Published Aug 10, 2016
Version 1.0

Was this article helpful?

26 Comments