Forum Discussion

Simon_Waters_13's avatar
Simon_Waters_13
Icon for Cirrostratus rankCirrostratus
Nov 14, 2017

Returning SAML Responses to the server that sent the Request

Looking to load balance requests based on URL across a set of servers acting as SAML SP.

 

The original URL is easy we can balance on hash of the the relevant part of the URL.

 

The SAML response wants to go back to the same backend server (or we need to share session and we'd rather not, although we will if this is the right way(TM)), and there is no clue in the Request/Response as to which server it is from.

 

After some thought we considered identifying the SAML request as it is a 302 redirect to a specific URL, extracting the ID in the SAML request, and then using the "InResponseTo" field in the response to select the server that just sent the request with that ID.

 

Feels a bit overkill, decoding SAML requests, parsing XML (or something simpler than parsing) etc, and responses to load balance but it is only once per authentication, so every couple of hours.

 

Given a user may be using two sets of servers simultaneously, we do need to tie the two requests together, and simple proximity in time, or other client identifiers won't work.

 

Have we missed some industry norm or best practice?

 

Does this sound sane?

 

Do F5s do this somewhere?

 

Anyone written anything like it? It should be pretty easy, but if someone got there first....

 

application delivery
LTM
saml

1 Reply

Sort By
  • brad_11480's avatar
    brad_11480
    Icon for Nimbostratus rankNimbostratus
    Jan 23, 2018

    I have just received information from our Service Provider, Strata Decision, who indicates that I need to add InResponseTo field containing the ID in the SAML authentication request in order for them to retain the correct session correlation.

     

    Did you come up with a good method to populate this?

     

    Much appreciated!