Is there a way in iRules to modify which IDP profile the APM selects?

Hi,

In the SAML SP/IdP Binding, you can check every session variable to choose IdP.

If you want to do the same as Office 365:

• create a logon page with email address form attribute.

• Create a variable assign with expression : session.logon.last.maildomain = if { [mcget {session.logon.last.email}] contains "@" } { set email [mcget {session.logon.last.email}]; return [string range $email [expr {[string first "@" $email] +1}] end ]; } else { return {[mcget {session.logon.last.email}] } }

   

• create a SAML Auth box

   

In the SAML Binding, choose the IdP based on the variable session.logon.last.maildomain

AlgebraicMirror, the suggestion Stanislas suggestion will work. The binding that is being referenced in the suggestion is based upon the IdP and external SP binding insite APM. Give this a shot, I think it will do what you're looking for.

As AlgebraicMirror explained, this is BigIP as IdP SSO, not SAML auth which is used in BigIP as SP.

AlgebraicMirror, do you have sample SAML Authentication request look like in your case? The sample I see from MS looks like as follows

https://msdn.microsoft.com/en-us/library/azure/dn641269.aspx

  urn:federation:MicrosoftOnline
  

As AlgebraicMirror explained, this is BigIP as IdP SSO, not SAML auth which is used in BigIP as SP.

AlgebraicMirror, do you have sample SAML Authentication request look like in your case? The sample I see from MS looks like as follows

https://msdn.microsoft.com/en-us/library/azure/dn641269.aspx

  urn:federation:MicrosoftOnline
  

Hi,

Sorry, I did not understand your need.

IdP profile is assigned as SSO profile, did you try to change profile?

when ACCESS_ACL_ALLOWED {
    set referer [HTTP::header referer]
    if { $referer starts_with "https://mail2.example.com" } {
        WEBSSO::select saml-idp2
    }
}

Event ACCESS_ACL_ALLOWED is raised on every authenticated request, and not only on policy evaluation.

The example I post is the example of WEBSSO::select wiki with some changes to match your needs.

But when I tried to apply the irule to a VS, I got the error (the SAML IdP exists):

01070151:3: Rule [/Common/saml-change-idp-profile] error: Unable to find sso_config (saml_idp) referenced at line 4: [WEBSSO::select saml_idp]

Going to jump into the conversation here and ask a few more questions.

First, assuming this is an SP-initiated SAML flow from O365 to your local IdP, what beyond the Referer header would be unique? Where does the nameid come from in the SAML authnrequest?

Plus, assuming this is all HTTPS traffic, you may not be able to rely on the Referer header. The WEBSSO::select option is definitely the way to go here, but you need to be able to uniquely identify the requests.

A check of saml attributes must be done to search a unique identifier of the SP.

So you're saying that inside the SAML auth request from the SP, there is indeed a unique attribute that refers back to that SP? If that's true, then you also need the SP to send the auth request as a POST vs. HTTP redirect. Per OASIS standards, a SAML auth request in the URL of a redirect is both base64-encoded and compressed, and iRules don't have gzip or enflate/deflate functions. In a POST however it's only base64-encoded, so you could absolutely catch the SAML auth request (POST) coming to the IdP, decode it, parse through it for the unique attribute, and then forward to the correct IdP SSO.

It's not usually a problem, but for the fact that in this case the ACS and other attributes are the same between all of the SPs. I'd probably counter-argue that the proxy layer in front of APM SAML allows you some flexibility that you'd have difficulty achieving otherwise.

I'm going to try to answer all of Kevin's questions at once, hopefully :).

I'm going to backup and try to better explain the overall scenario and what I am trying to do, rather than ask how to do a specific solution. (This is apparently how most multi-top-level-domains-in-Office365 scenarios work).

In this scenario, there is one overall Active Directory domain that everyone is a part of, with a single set of on-prem active directory domain controllers. However, this is a college, so while students and faculty technically are in the same AD domain, they each have different email domains (for example, @college.com for faculty and @email.college.com for students). Each of these two email domains is set up as a top level domain in Office365, and both are under the same Office365 tenant ID that the college owns.

When an SP initiated SAML assertion request comes in from O365, there is no way to distinguish which domain it is for. It uses the same issuer ID for every domain, and asks that we provide a SAML assertion. Despite not having a way to distinguish which domain this is for, we can easily look the user up in AD (again, it's the same AD infrastructure for them all, so we only have to search once, but even if it was multiple AD infrastructures we could still easily set up an APM policy where we search against several different AD AAA configurations in turn). Also, when we do the AD query, we can easily look up their mail attribute in AD, so it's very easy to tell which domain they are a part of at that time.

Here's where we start getting close to the problem. Microsoft requires different issuer IDs for each domain when you send your assertion back to Office365. It doesn't matter what issuer IDs are (you can arbitrarily set them in Office 365), but they must be unique. Example: for the first domain we might want to send an issuerID of and other could be https://email.college.com. So the open ended question is this: how do I at runtime send assertions with different issuer IDs to Office365 when both domains are using the same virtual server/access policy as the IDP?

Solutions I've tried: What I tried to do first was set up two different IDP configurations, each with a different issuer ID, but otherwise the same. The problem is that those have to be bound to two different external SP configurations, distinguishable by IssuerID. In this case I basically only have one external SP, and it is exactly the same for both of them. (This is why my original question was focused on asking how I can switch between IDP configurations based on something other than having the IssuerID match an external SP provider)

My second idea was to have just one IDP configuration with one IssuerID, but try to use an iRule to change it at response time. (This is basically how ADFS works with their "SupportMultipleDomain" switch and additional claims rules: the rules use regexes to take domain from the user's UPN or mail address and insert it into the issuer ID - a really good article showing exactly how this is accomplished technically is at http://blogs.technet.com/b/abizerh/archive/2013/02/06/supportmultipledomain-switch-when-managing-sso-to-office-365.aspx). But, I couldn't find any SAML iRule hooks that would let me do that, and anyway any hook would have to be before the assertion was signed to avoid invalidating it.

So I'm still at my original question, which is basically how to change which issuer ID I send Office365 at runtime, based on the user's UPN/mail domain.