APM as a SP, with multiple IDP connectors, both IDP and SP initiated
Hi !
How to configure APM as a SP, with multiple IDP connectors receiving both IDP and SP initiated requests?
My rig
I'm using APM as a SP. My SP should support multiple IDP's, and both IDP initiated and SP initiated requests. I bind multiple IDP Connectors to my SP, and I use matching rules to select the correct IDP connector to use. I require all landing urls to my SP to contain a paramerer 'idp'.
Example:
I configured my matching rules to match the session variable session.server.landinguri. I configured Matching Value for each IDP connector to match the value of the ‘idp’ parameter. Example: idp=some_idp
This works well for SP initiated.
The problem
When I added support for IDP initiated I ran into trouble. IDP initiated requests land on the ACS endpoint:
The url ACS will redirect to is transmitted using RelayState: ( RelayState: https://sp.host.no/landingpath&idp=some_idp )
Since the landinguri session variable no longer contains the idp parameter, matching fails and access is denied.
My (failed) fix attempts so far
-I tried adding the idp parameter to the ACS endpoint: but this caused the ACS request to fail.
-I tried changing the matching rule to match the idp parameter that is part of the RelayState (I found the relaystate in session.server.initial_req_body). While messy this will work, but only for IDP initiated. Now SP initiated fails, because initial_req_body doesn’t contain the idp parameter when the request is SP initiated (the RelayState is not populated yet).
-I’m unable to configure 2 matching rules for the same IDP Connector, which would have solved the problem
-One overly complex solution could be to write an iRule that pulls the idp parameter from either initial_req_body or landinguri, put the result into a session variable, and write a matching rule on that variable. But overly complex is not really my thing, hopefully there is a better way?