Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Diferent Policies Bracnhes based on SAML request

Manel_Mendoza_1
Nimbostratus
Nimbostratus

‎17-Nov-2015 12:57

Hi,

 

I would like to have an idp for a multiple SP (Sp1, and SP2) . The connection is SP initiated to the idp. For security reasons SP1 and SP2 need diferents policies to verify the user..

 

Instead of create differents idp, we would like ( if it's possible ) to make diferents branches on the policy based on the SAML autentication request like ProviderName or AssertionConsumerServiceURL.

 

I dont' know exactly how to write the irule and how to get the variables from the SAML request.

 

THe idea could be.

 

VS ( idp ) ==> { ACL irule } if ( AssertionConsumerServiceURL = SP1 ) ==> polici for SP1 if ( AssertionConsumerServiceURL = SP2 ) ==> polici for SP2

 

Thanks in advance

 

Labels:
0 Kudos
4 REPLIES 4

Michael_Koyfma1
Cirrus
Cirrus

‎17-Nov-2015 13:58

Is APM acting as IDP, and SPs are external to it? Can you please elaborate/post more details on what the different policies you want/need to follow to verify the user?

 

0 Kudos

Manel_Mendoza_1
Nimbostratus
Nimbostratus

‎18-Nov-2015 13:49

Hi Michael,

 

I will put an example.

 

App1: url: app1.provider.com ==> Very confidential APP. Need a SAML tiquet with atribute "security level = hight" App2: url: app2.provider.com ==> Very low confidencial APP. Need a SAML tiquet with atribute "security level = low" ...

 

Both need a saml tiquet, and both redirects to the same idp to obtain it, but on the policy of the F5 when the PrivederName= APP1 the policy would request 2 factor autentication . On the other hand, when the idp detects that the providename = APP2, only with username or password is enought.

 

This is the reason why we need to branch the policy on the idp based on SAML request PrivederName.

 

0 Kudos

Manel_Mendoza_1
Nimbostratus
Nimbostratus

‎18-Nov-2015 13:49

Hi Michael,

 

I will put an example.

 

App1: url: app1.provider.com ==> Very confidential APP. Need a SAML tiquet with atribute "security level = hight" App2: url: app2.provider.com ==> Very low confidencial APP. Need a SAML tiquet with atribute "security level = low" ...

 

Both need a saml tiquet, and both redirects to the same idp to obtain it, but on the policy of the F5 when the PrivederName= APP1 the policy would request 2 factor autentication . On the other hand, when the idp detects that the providename = APP2, only with username or password is enought.

 

This is the reason why we need to branch the policy on the idp based on SAML request PrivederName.

 

0 Kudos

bradhanson
Altocumulus
Altocumulus

‎14-Dec-2020 10:14

I have this same need. authentication will depend on the AssertionConsumerServiceURL. This is the IdP.

How can that value be obtained in the policy editor? It would be very useful.

 

0 Kudos
Copyright © 2023 Khoros, LLC