Forum Discussion
Kevin_Stewart
Jul 21, 2014Employee
Just throwing this out there as I've dealt with something similar recently. Any chance that your environments are differentiated by hostname (ie. dev.domain.com, qa.domain.com, test.domain.com)? If so, you could:
-
Create separate SP configs, access policies, and "internal" VIPs for each.
-
Bind all of the SP configs to the IdP.
-
Create an external LTM that fronts the internal APM VIPs and an iRule that load balances to the APM VIPs based on hostname (or any other consistent value in the request):
when HTTP_REQUEST { switch [string tolower [HTTP::host]] { "dev.domain.com" { virtual dev_apm_vs } "qa.domain.com" { virtual qa_apm_vs } "test.domain.com" { virtual test_apm_vs } } }
Now that I'm thinking about it, and I don't have it in front of me to test, but isn't the relaystate value a query string value outside the encoded SAML request? You could use a similar "layered" VIP approach to alter the relaystate.