Youssef_Ghorbal
Nov 30, 2014Cirrus
Solved
F5 APM behaviour similar to "requireSession off" of Shibboleth SP
Hello,
I'm trying to replace a Shibboleth SP with APM (SAML SP.) In some use cases it works as a charm, but for other use cases I can't figure out how to make it work.
One of the use cases I'm s...
- May 24, 2016
I'll answer myself. I've came up with a iRule that can do this. Assuming :
- The trigger URL is /websso/login
- The query attribute to handle the landing URI is named "target"
- You already have an Access Policy activated for your VS that is configured for SAML
The iRule goes like that :
when HTTP_REQUEST { set apm_cookie [HTTP::cookie value MRHSession] set app_target [URI::query [HTTP::uri] "target"] if { ( [string length $app_target] == 0 ) } { set app_target "/" } if { ( [ACCESS::session exists -state_allow $apm_cookie] ) } { if { ( [HTTP::uri] starts_with "/websso/login" ) or ( [HTTP::uri] starts_with "/saml/sp/profile/post/acs" ) } { HTTP::redirect $app_target } return } if { ( [HTTP::uri] starts_with "/websso/login" ) or ( [HTTP::uri] starts_with "/saml/sp/profile/post/acs" ) } { return } ACCESS::disable }
The idea, is to disable APM for all requests by default and enable it when a cookie session is present or that the URI is the one that triggers the authentication.
Maybe this will help someone, one day.
/saml/sp/profile/post/acs is a special URL handled by the APM module itself, it's the endpoint that consumes the SAML assertion (back from the IdP)