Big-IP SAML2.0 IdP to same SP back-end for multiple host aliases
Description I'm wondering how it can be achieved to configure SAML2.0 on APM as IdP in a way to preventNo RelayState mapping found for RelayState value xxxerrors when coming from an FQDN for which SAML2.0 hasnotbeen configured. Example Havingabc123xyz.acme.comexporting SP Metadata and importing IdP Metadata based on this host alias, for which SAML2.0 is operating as expected. Now our customer arenotable to remindabc123xyz.acme.com, so we are offeringfancypad.acme.com(super easy to remind) but getting back RelayState error, which is obvious because forfancypad.acme.comalias no SP IdP relation has been configured. Question Its possible on SP side to configure the IncomingRequest parameters to send theapplication URL, for example, but it will depend if the f5 IdP can differentiate it and send to the same host that did the request? There are customers having used a BIG-IP or other appliances which mentioned forwarding requests to the correct SPs based on specific host aliases and Service-URLs. Thus the URL was appropriately masked and rewritten by the reverse proxy. The host header was replaced with the host value extracted from the matched ACS URI of the internal SP. Would lead to the following example which illustrates the Assertion Consumer Service endpoints for an SP that is only using the SAML2 HTTP-POST binding. BindingEndpointStatus urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POSThttps://abc123xyz.acme.com/sso/SAML2/POSTPre-existing urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POSThttps://fancypad.acme.com/sso/SAML2/POSTNeed to add The question is, how to overcome this behaviour which is leading to 'No RelayState mapping found for RelayState value xxx'? Any help would be greatly appreciated, best wishes Florian