BIG-IP LTM+APM as a SAML SP using external IdP. The external IdP supports and serves their login page on multiple languages. Used language can be a SAML Extension attribute in the SAML AuthnRequest or it can be a parameter in the HTTP POST redirect which passes the request to the IdP.
Adding Extension attributes to the SAML request itself seems to be not possible currently. So the option would be to add the parameter to the SAML request redirect, like POST
If the parameter part is added to the SAML IdP endpoint definition, it goes into the SAML AuthnRequest Destination element, too - and the IdP does not allow it.
Is there any way to do this other than making a front virtual server to intercept the SAML AuthnRequest redirect? Adding the layered front virtual complicates the solution as the APM config is already rather complex. Would like to be able to intercept the SAML request and modify with an iRule in the same APM virtual.