Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

F5 SAML SP for a portion of a website

Let's say I have the following setup:

  • a website called test.example.com
  • an access policy called test_apol with SAML Auth

Image Text

If I assign the test_apol access policy to test.example.com VIP, the entire test.example.com becomes Service Provider (SP) and is protected by SAML Auth.

Can I, and if yes then how, place only a portion of the website, i.e. a selected list of HTTP Paths/URIs behind SAML Auth, instead of the entire website?

I.e. if test.example.com/private then SAML Auth, otherwise no restrictions.

Just from top of my head, I was thinking about placing an iRule Event in front of SAML Auth; and inside iRule do the filtering of which HTTP Paths/URIs I want to send to SAML for authentication, and which ones just straight to the back-end servers without any authentication:

Image Text

However, I don't know whether this is the best approach to address my problem, or there is a better more elegant solution.

Any ideas, suggestions, recommendations to address this are much appreciated.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You can use the ACCESS::enable and ACCESS::disable to disable or enable the access policy for some parts of the website. Check out the article below:

https://devcentral.f5.com/wiki/iRules.ACCESS__enable.ashx

0
Comments on this Answer
Comment made 2 months ago by Juraj 177

This is perfect! I completely forgot about using ACCESS::enable and ACCESS::disable; thanks for pointing it out Niels.

This way, all I need is a simple SAML Auth policy:

Image Text

and a very simple iRule assigned to the VIP, where I just list the parts of the website I need to protect by SAML:

when HTTP_REQUEST {
  # Check the requested HTTP path
  switch -glob -- [string tolower [HTTP::path]] {
    "/vdesk/*"   -
    "/saml/*"    -
    "/private"   -
    "/private/*" {
      # Enable APM for these paths
      ACCESS::enable
    }
    default {
      # Disable APM for all other paths
      ACCESS::disable
    }
  }
}

I noticed that if the iRule doesn't have /saml/* in the list, it breaks the SAML authentication due to the default ACCESS::disable. So, that's the only thing I had to add to the example from ACCESS::enable to make it work the way I need.

Thanks again Niels.


Update: /vdesk/* needs to be there too. There might be some other HTTP paths that are required by SAML workflow, so those need to be in the list too.

0
Comment made 2 months ago by Niels van Sluis 2775

Thanks Juraj for sharing this detailed configuration. I'm sure this will be of great help to others trying to build something similar.

0