Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

How do I determine SP origin on a BigIP IdP



We have a BigIP 14.1 environment, and we've set up an idp to respond to, where only the IdP Entity ID differs, such as, etc.

We also act as an SP for an external IdP, so the user has two AAA to choose from.

Some of the services are restricted to use only one of these, and we'd like to skip over the form where the user choose AAA to use for these. Together with an F5 consultant, we solved this by using an iRule listening to the event ACCESS_POLICY_AGENT_EVENT. In it, we scan for the Referer header in the session.server.initial_req_hdrs variable.

We then use a switch -glob statement to differentiate between the various origins, setting session.custom.ga_result to 0, 1 or 2 accordingly, meaning choice, local AD or external IdP.

This was the foundation left to us by the consultant, and it has since been refined by us.



The above solution works for the most part, but as we bind more SPs to the solution, we find that not everybody has the courtesy to provide a Referer header. Their solutions may not even make it possible. It has really been nagging me.

I have tried two things:

1) Receiving the session.bigip_idp_sp_info variable that contains the name of the SP connector. Except it's not set at the point of ACCESS_POLICY_AGENT_EVENT, so it's empty

2) I tried using the ACCESS_SAML_ASSERTION and extract the saml2:Issuer-attribute from the XML, but this event is triggered after ACCESS_POLICY_AGENT_EVENT, so I can't use that either.


I'm not a SAML expert, and I have to no avail asked several of our SPs for advice as I am certain this has to be solved in the SAML scope of things rather than with guesswork within an elaborate iRule.


How do sane people solve this?



Is there nobody out there familiar with using a BigIP as an IdP who can identify anything we're doing wrong in our thinking or methodology in this scenario, or who has faced a similar problem?

F5 Employee
F5 Employee

The best way I can think of to do this is to have each of the SPs send to their own SSO URL, branch these off in the VPE by landing URI, then re-assign the landing URI as 'return {/saml/idp/profile/redirectorpost/sso/}' before they hit the login page and it will maintain that SAMLRequest from the SP and continue on as SP initiated connections.


Otherwise, if you do not re-assign the landing URI, the BIG-IP will not recognize the connection as SP initiated, drop the SAMLRequest, and treat the connection as if it was IdP initiated.


I wrote this support solution:

K55982241: Choosing branches in the Visual Policy Editor with APM as an IdP while using multi Servic...


Hope it helps!


Thank you!

I will try your approach as soon as I have a service window and I will report back to the community once it's done.

It looks very, very promising.


Hi Samuel


How did you go with delv3chio's solution? Wish that was around 9 months ago 😉


We have an iLX plugin that inflates/parses the incoming SAML assertion. It grabs the issuer and/or the ACS url and we then make decisions in the policy based on the returned results.