Forum Discussion

asmith984's avatar
asmith984
Icon for Nimbostratus rankNimbostratus
Feb 12, 2023
Solved

SAML IdP Initiated SSO Denied and Killing Existing Session established through OAuth

I am running against an issue and coming up short on ideas so I thought I would try here.  I have an application wherein users are authenticated with Okta via a JavaScript widget on our home page.  We have OAuth Client/Resource Server setup and this is working well.  Now, once these users are logged in, some of them will need to then authenticate to third-party partners via SAML SSO with the f5 acting as the IdP.  This is where I'm getting hung up....

So authentication with Oauth to the application works well and a session is established.  We have some logic in the application that when a user needs to go to one of these third parties they are directed to /saml/idp/res?id=/Common/<saml_resource_name>.  Whenever an already authenticated user hits these endpoints with an appropriate SAML resource name, then client is redirected to /hangup.php and their session is terminated.  Looking into /var/log/apm I find only the following in the logs as to why:  "Authorization failure: Denied request for SAML resource /Common/my_saml_resource"

I've been racking my brain on this and am struggling to understand how I can prevent the session from getting terminated and have clients redirected with an appropriate SAML interaction to our SPs.  Any help would be much appreciated!

Thank you!

-adam

  • OK.  Figured this out.  Probably silly, but I needed to add a "Resource Assign" task in the VPE for my access policy once authenticated.

2 Replies

  • OK.  Figured this out.  Probably silly, but I needed to add a "Resource Assign" task in the VPE for my access policy once authenticated.