Decode SAML Response from IDP Server

gogreen · ‎16-Nov-2020

Here is the traffic Flow :

SP<===========>F5(VS/Pool)<=============>IDP Server(s)

In this, SP see F5 as IDP ( F5 is acting as a proxy in front of IDP servers), Using irules, how can I extract one of the attributes from the SAML response sent from IDP ?

Dario_Garrido · ‎18-Nov-2020

Hello Gogreen.

F5 has native iRules (v14.1+) to manage SAML assertion when it works as SP or IDP.

ACCESS_SAML_AUTHN – authentication request
ACCESS_SAML_ASSERTION – assertion
ACCESS_SAML_SLO_REQ – single logout request
ACCESS_SAML_SLO_RESP – single logout response

In your case (being a proxy) and assuming that your are offloading traffic (SSL Bridging), your only chance is to manage that communication as a regular HTTP connection with headers and payload, where SAML assertion will be located in the payload section (coded in base64).

Regards,

Dario.

Regards,
Dario.

View solution in original post

Dario_Garrido · ‎18-Nov-2020

Hello Gogreen.

F5 has native iRules (v14.1+) to manage SAML assertion when it works as SP or IDP.

ACCESS_SAML_AUTHN – authentication request
ACCESS_SAML_ASSERTION – assertion
ACCESS_SAML_SLO_REQ – single logout request
ACCESS_SAML_SLO_RESP – single logout response

In your case (being a proxy) and assuming that your are offloading traffic (SSL Bridging), your only chance is to manage that communication as a regular HTTP connection with headers and payload, where SAML assertion will be located in the payload section (coded in base64).

Regards,

Dario.

Regards,
Dario.

Norris · ‎23-Nov-2020

Thanks for the information

boneyard · ‎23-Nov-2020

please flag the question as answered if it was, it helps other recognize the status.

DevCentral

Decode SAML Response from IDP Server

Sep 26th, 2023
MFA required on DevCentral

DevCentral

Decode SAML Response from IDP Server

Sep 26th, 2023MFA required on DevCentral

Sep 26th, 2023
MFA required on DevCentral