so i have 1 SP initiated SAML setup and working. i have another request to setup an IDP initiated SAML connection. i have get it to work successfully following the guide but after signing into the F5 the users have to click the link in the webtop. from research i know i should be able to send them directly to the correct SAML resource but i have not been able to figure it out. any help would be great? this is the guide i followed https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-saml-config-guide-11-3-0/2.htmlunique_882574450

yes i have the SAML working for both my SP-initiated and IDP-initiated. when a user uses the SP-initiated URL they are taken directly to the service providers site. this is how i want the IDP to work as well so users do not have to manually click on the IDP-initiated resource once authenticated.

That's what I'm saying. Your IdP visual policy could look like this: start -> [auth] -> allow Apply the SAML IdP config as an SSO profile to that access policy (directly) - no webtop, no resource assignment. You just need to make sure that at some point in the visual policy you populate that Assertion Subject Value session variable.

but if i remove the advanced resource assign from the VPE my SP-initiated SAML application stops working. maybe i am missing something but i followed the F5 guide for supporting both SP and IDP initited SAML. my setup is as follows: 1 virtual server 1 access profile 1 access policy 2 saml local IDP services 2 saml external SP Connectors 2 saml resources

Are you doing SP and IdP on a single VIP? An SP-initiated SAML auth doesn't require a resource assignment either. It's just: start -> SAML Auth -> allow That's assuming the SAML SP is on one VIP and your IdP is on another.

yes i was doing both SP-initiated and IDP initiated on the same VIP. this was according to the guide and made sense so i only have 1 url for saml.

SAML IDP-initiated without webtop

16 Replies

Michael_Koyfma1

Cirrus

Aug 27, 2015

You're almost there. Here is what you need to do in terms of iRUles. The gist is that you need to name your IDP resource and redirect to the proper webtop resource. You can try to automate it like you did to dynamically populate respond string, or you can define them statically in the switch statement - that way you can have more user-friendly setup, I believe. Keep in mind that in this case we assume you use Common partition(thus /Common/IDPresourceName reference - substitute that for what your resource is really defined as)

when HTTP_REQUEST priority 30  {
 if {[ACCESS::policy result] eq "allow"; }
 {
      switch -glob [HTTP::path] {
      "/IDPResource";
           {
                HTTP::respond 302 Location "/saml/idp/res?id=/Common/IDPResourceName"
                return
           }
      }
 }

}

` ACCESS Policy Response used to provide IdP Initiated SAML for users that have not logged in yet

when ACCESS_POLICY_COMPLETED priority 30 {
     switch -glob [ACCESS::session data get session.server.landinguri] {
          "/IDPResource"
               {
                    ACCESS::respond 302 Location "/saml/idp/res?id=/Common/IDPResourceName"
                    return
               }
     }
}

Kevin_Stewart
Employee
Aug 27, 2015
https://devcentral.f5.com/questions/apm-saml-whats-the-best-way-to-have-multiple-idps-using-one-vipanswer123523

;)
jnowlin_44976
Nimbostratus
Aug 27, 2015
thanks i modified the irule a bit but so far this is working for me: when ACCESS_POLICY_COMPLETED { if { [ACCESS::session data get session.server.landinguri] starts_with "/saml/idp/profile/redirectorpost/sso" } { log local0. "SP initiated SAML detected, not sending redirect" } if { [ACCESS::session data get session.server.landinguri] starts_with "/URLtoIDPinitiated" } { log local0. [ACCESS::session data get session.assigned.resources.saml] ACCESS::respond 302 Location "https://sso.example.com/saml/idp/res?id=/Common/SAML_Resource" log local0. "IDP initiated SAML detected, sending redirect" } else { log local0. "Nothing Matched land on portal" } }
- Michael_Koyfma1
  Cirrus
  Aug 27, 2015
  Sure - keep in mind that you really probably should replicate the logic in both HTTP_REQUEST and ACCESS_POLICY_COMPLETED events if you are not ending the session right away. If your use case is going to grow in a way that you'll be providing IDP services for multiple SPs, you'd certainly want your users to authenticate once and then be SSOed into their APPs seamlessly. If you use just that snippet that you're using, it will work only when the user does not have a valid session with the IDP yet.
jnowlin_44976
Nimbostratus
Aug 27, 2015
now if i could just setup single sign on to my SP initiated SAML application i could add that link to the portal also.

jnowlin_44976

Nimbostratus

Aug 27, 2015

so my working irule looks like this:

when ACCESS_POLICY_COMPLETED {
if { [ACCESS::session data get session.server.landinguri] starts_with "/saml/idp/profile/redirectorpost/sso" } { 
    log local0. "SP initiated SAML detected, not sending redirect"
} 
if { [ACCESS::session data get session.server.landinguri] starts_with "/SAMLURL" } {
    log local0. [ACCESS::session data get session.assigned.resources.saml]
    ACCESS::respond 302 Location "https://sso.example.com/saml/idp/res?id=/Common/SAML_Resource"
    log local0. "IDP initiated SAML detected, sending redirect"
} else {
    log local0. "Nothing Matched land on portal"
}}

looks like yours handle the 302 redirect but not the SP-initiated.  do i need to add those lines to both httprequest and accesspolicy completed sections?

Forum Discussion

SAML IDP-initiated without webtop

16 Replies

Recent Discussions

Wildcard SSL Certificate Deployment on F5 LTM

iRule resulting in too many redirects

What happens if I only enable ASM in BIG-IP Under System > Resource Provisioning

URL

Migration from i series 10200 with 1 child VCMP to r series 10900 series

Related Content

IdP Discovery for IdP Initiated SAML

SAML IdP Initiated SSO Denied and Killing Existing Session established through OAuth

Dynamic , Variable RelayState in IdP initiated SAML SSO

Webtop and icons

Creating a SSL VPN Using F5 Full Webtop