F5 APM behaviour similar to "requireSession off" of Shibboleth SP

Question

Hello,&nbsp;
I'm trying to replace a Shibboleth SP with APM (SAML SP.) In some use cases it works as a charm, but for other use cases I can't figure out how to make it work.
One of the use cases I'm stuck with is web applications that decide on their own when to trigger SAML auth (apps that support many auth schemas for example or that has some public, non protected content) With Shibboleth SP (linked to a Apache webserver) I can configure two things :&nbsp;
set "requireSession off" in the vhost configuration.set handlerURL=/Shibboleth.sso in the shibboleth2.xml
When client request goes through Apache it gets directly handed to the application and SAML magic is bypassed. When the application wants to trigger an SAML auth, it redirects the user to the /Shibboleth.sso context (the one corresponding to handlerURL in shibboleth2.xml) SAML SP kicks in and the magic happens (go to IdP, back to the SP, have access, etc) It even continues to track the SAML session on any subsequent requests&nbsp;
I've read most of the SAML APM's documentation and I can't seem to find the trick. I have few to no control over the applications. All we have to be in common is the magic context (/Shibboleth.sso) that makes the SAML kicks in. For example I can't know for sure which contexte need to be protected and which not.&nbsp;
For me, SAML SP is either activated or not in APM, I can't find anything close to conditional trigger. Any help is appreciated.&nbsp;

youssef_ghorbal · Accepted Answer

I'll answer myself. I've came up with a iRule that can do this.
Assuming : 
The trigger URL is /websso/loginThe query attribute to handle the landing URI is named "target"You already have an Access Policy activated for your VS that is configured for SAML
The iRule goes like that :
when HTTP_REQUEST {

set apm_cookie [HTTP::cookie value MRHSession]

set app_target [URI::query [HTTP::uri] "target"]
 if { ( [string length $app_target] == 0 ) } {
  set app_target "/"
 }

if { ( [ACCESS::session exists -state_allow $apm_cookie] ) } {
  if { ( [HTTP::uri] starts_with "/websso/login" ) or ( [HTTP::uri] starts_with "/saml/sp/profile/post/acs" ) } {
   HTTP::redirect $app_target
  }
  return
 }

if { ( [HTTP::uri] starts_with "/websso/login" ) or ( [HTTP::uri] starts_with "/saml/sp/profile/post/acs" ) } {
  return
 }

ACCESS::disable
}

The idea, is to disable APM for all requests by default and enable it when a cookie session is present or that the URI is the one that triggers the authentication.
Maybe this will help someone, one day.
/saml/sp/profile/post/acs is a special URL handled by the APM module itself, it's the endpoint that consumes the SAML assertion (back from the IdP)

Forum Discussion

F5 APM behaviour similar to "requireSession off" of Shibboleth SP

1 Reply

Recent Discussions

preserve client IP on layer 4 VIP

Failed to convert character dclid=%EDclid!

ASM - Parent policy vs OWASPcompliance

Rewrite uri translation not working

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

Related Content

LTM Policy - Is there a way to create policy with non Case Sensitive behaviour

HTTP Brute Force Mitigation Playbook: Slow Brute Force Protection Using Behavioural DOS - Chapter 6

F5 predicts: Changing demographics influence purchasing behaviours

Security is no longer just an IT concern, but is behaviour changing?

iRule for Shibboleth integration