Forum Discussion

Manel_Mendoza_1's avatar
Manel_Mendoza_1
Icon for Nimbostratus rankNimbostratus
Nov 17, 2015

Diferent Policies Bracnhes based on SAML request

Hi,

 

I would like to have an idp for a multiple SP (Sp1, and SP2) . The connection is SP initiated to the idp. For security reasons SP1 and SP2 need diferents policies to verify the user..

 

Instead of create differents idp, we would like ( if it's possible ) to make diferents branches on the policy based on the SAML autentication request like ProviderName or AssertionConsumerServiceURL.

 

I dont' know exactly how to write the irule and how to get the variables from the SAML request.

 

THe idea could be.

 

VS ( idp ) ==> { ACL irule } if ( AssertionConsumerServiceURL = SP1 ) ==> polici for SP1 if ( AssertionConsumerServiceURL = SP2 ) ==> polici for SP2

 

Thanks in advance

 

4 Replies

  • Is APM acting as IDP, and SPs are external to it? Can you please elaborate/post more details on what the different policies you want/need to follow to verify the user?

     

  • Hi Michael,

     

    I will put an example.

     

    App1: url: app1.provider.com ==> Very confidential APP. Need a SAML tiquet with atribute "security level = hight" App2: url: app2.provider.com ==> Very low confidencial APP. Need a SAML tiquet with atribute "security level = low" ...

     

    Both need a saml tiquet, and both redirects to the same idp to obtain it, but on the policy of the F5 when the PrivederName= APP1 the policy would request 2 factor autentication . On the other hand, when the idp detects that the providename = APP2, only with username or password is enought.

     

    This is the reason why we need to branch the policy on the idp based on SAML request PrivederName.

     

  • Hi Michael,

     

    I will put an example.

     

    App1: url: app1.provider.com ==> Very confidential APP. Need a SAML tiquet with atribute "security level = hight" App2: url: app2.provider.com ==> Very low confidencial APP. Need a SAML tiquet with atribute "security level = low" ...

     

    Both need a saml tiquet, and both redirects to the same idp to obtain it, but on the policy of the F5 when the PrivederName= APP1 the policy would request 2 factor autentication . On the other hand, when the idp detects that the providename = APP2, only with username or password is enought.

     

    This is the reason why we need to branch the policy on the idp based on SAML request PrivederName.

     

  • I have this same need. authentication will depend on the AssertionConsumerServiceURL. This is the IdP.

    How can that value be obtained in the policy editor? It would be very useful.