cancel
Showing results for 
Search instead for 
Did you mean: 

Redirect of a SAML POST

Johan_Lång
Cirrus
Cirrus

Background

We're using Bigip as a ADFS Proxy and we currently running version 14.2 of bigip. In this version there is some issues with SAML with POST request method. But Im not sure if that is the case in this scenario.

We have two IDPs in ADFS and some of our SPs (RPs) is using both of them. If a SP is using two IDPs, the user will get prompt to choose which IDP they prefer before they provide their credentials.

 

Ive got an access policy with a descision page were you can choose which auth-method you want to use. And with help of an irule you get redirected to either IDP. This works wonderfully with SAML GET as a request method, and even with a POST if you only have one IDP assigned to the SP. What I can tell, if a SAML POST is incoming BIGIP is caching that form data and after a successfull authentication BIGIP will send a form data named "dummy" to ADFS, that works perfectly as i mentioned earlier if the SP only has one IDP assigned.

 

Problem

If a SP has two assigned IDPs and you need to make a redirect to either IDP with a SAML POST, a generic error pops up in ADFS. Ive tried to use a 307 respond and i can se the "dummy" is reposted, but there is still a generic error. As i said earlier its fine if we only assign one IDP to this SP.

 

Do I need to keep track of the form data myself or is this simply a bug?

 

Regards,

Johan

 

0 REPLIES 0