I'm designing a gateway for some legacy systems which cannot consume SAML. We have an STS which issues SAML tokens to end-user applications and these pass through the enterprise. It's a single STS, which will grant/refuse access to lower sub-systems by listing all the systems allowed within the list of authentication claims. For SAML-aware apps, this is easy. Each app validates the token and looks to see if its claim is present.
In order to access the legacy systems, I want to have an F5 look at the token and then allow/deny access to the back-end system based upon that claim. The service names will be different, but the same SAML token will be presented each time. Thus I think I need to a) validate the SAML token (easy) and then look to see whether it contains a claim that matches the target service.
I'm struggling to see how to do this elegantly, as the documentation on SAML and IRules seems a little thin in places.