Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
code share

APM SAML IdP - SP Issuer Extraction

Problem this snippet solves:

APM doesn't expose any detail about the SAML SP Issuer when authentication requests hitting APM as an IdP during an SP initiated SAMLRequest. This iRule when applied to a SAML IdP enabled virtual server will extract the assertion request, decode it and present the SAML SP Issuer ID as the session variable %{session.saml.request.issuer} within APM.

How to use this snippet:

This comes in real handy when performing authorisation of the resource and could help avoid having APM perform a TCP connection reset when a SAML resource isn't authorised.

Tested on Version:
Comments on this Snippet
Comment made 25-Jan-2018 by Walter Kacynski 978

I would like to note that BIG-IP 13.1 friendly messages are displayed when SAML resources are denied.

Message: "Access to requested SAML resource is denied."

Comment made 19-Mar-2018 by svs 358

Hi Nobby,

thank you very much! This works like charm in v13 as well and helped me a lot.

Cheers, svs

Comment made 14-Sep-2018 by Brian 0

Any possibility of getting the GET method solution?

Comment made 15-Sep-2018 by svs 358

What do you mean? Redirect Binding? Just try to fetch the Request by extracting the URL parameter using HTTP::query i.e. There are a bunch of examples for extracting URL parameters on DevCentral.

Comment made 17-Sep-2018 by Kris @ VirginAustralia 145

you can't deflate in an irule (that I know of)

You need to urldecode, deflate & base64decode when the SAML SP uses Redirect Binding

I used this to get started and then found out I needed deflate.

set get_payload_data [b64decode [URI::decode [URI::query [HTTP::uri] SAMLRequest]]]

Also, I needed to update the original irule here because some SP's Auth request looked like this..


.. which didn't match so I changed to..

set SAML_Issuer_loc [string first ":issuer" [string tolower $SAMLdata]]