Forum Discussion
steirtet
Sep 09, 2014Nimbostratus
Hi,
Thanks for the answer, but this iRule retrieves the username/password without using SAML. The problem with SAML is that is using redirects between the SAML SP and the SAML IdP. In this case, redirects are not supported and not allowed. The problem remains, how to solve this via an iRule?
Thierry
- Gabriel_V_13146Sep 09, 2014CirrusHi, there are several SAML profiles (options how to use the SAML messages). F5 supports the WebSSO profile - thus redirect/post SAML messages between SP and IdP. So it's not really clientless. I don't know if it helps, but just an idea - If your SP can consume a SAML assertion, you could use 'IdP-initiated' SSO, so you can let F5 send the LoginResponse directly without any request. That can be done setting up a webtop with SAML connectors. In that case the APM will expose links (I don't recall exact url, see the links which are bound to the webtop links) sending a SAML response to the SP. And as a login action your application just sends user to the exposed IdP link. Have fun Gabriel
- Gabriel_V_13146Sep 09, 2014CirrusIf you really must be clientless - maybe the link provided is what you need.. Your application could send a SAML Soap message with username and password (or other credentials) and you will need to update the provided irule to dig the data from XML instead of a simple post..