Forum Discussion

THi_89722's avatar
THi_89722
Icon for Nimbostratus rankNimbostratus
Aug 06, 2015

Are there any APM SAML related iRule events/commands?

BIG-IP LTM+APM as a SAML SP using external IdP. The external IdP supports and serves their login page on multiple languages. Used language can be a SAML Extension attribute in the SAML AuthnRequest or it can be a parameter in the HTTP POST redirect which passes the request to the IdP.

 

Adding Extension attributes to the SAML request itself seems to be not possible currently. So the option would be to add the parameter to the SAML request redirect, like POST

 

If the parameter part is added to the SAML IdP endpoint definition, it goes into the SAML AuthnRequest Destination element, too - and the IdP does not allow it.

 

Is there any way to do this other than making a front virtual server to intercept the SAML AuthnRequest redirect? Adding the layered front virtual complicates the solution as the APM config is already rather complex. Would like to be able to intercept the SAML request and modify with an iRule in the same APM virtual.

 

2 Replies

  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus

    There is no SAML specific iRule event , AFAIK. I guess the challenge is modifying the payload that in turn affects the integrity check done thru XML signature verification.

     

  • If I may add, what you're essentially trying to do is modify the response from the APM agent, and this would require a response event in the client side context (responses from the BIG-IP itself). Unfortunately this doesn't exist. The HTTP response events work in the server side context and are triggered when the backend server responds to a request. The easiest option, in my opinion, is a layered VIP in front of the SP VIP. The only complexity this should really add is SSL offload.

    when HTTP_RESPONSE {
        if { ...look for the SAML response ... } {
            HTTP::collect [HTTP::header Content-Length]
        }
    }
    when HTTP_RESPONSE_DATA {
        ... look for and replace URI content in the JavaScript POST payload ...
    }
    when CLIENT_ACCEPTED {
        virtual apm-vs
    }