Access Policy branch rule for multiple SP on same virtual server?

Question

Hi, I'm new to SAML in F5 Big-IP LTM and APM but I'm trying to accomplish something quite simple.&nbsp;
I want to have one and the same virtual server for all my SAML federations (easier to maintain). Right now I only have one idp for an external SP, but I'm trying to setup another.&nbsp;
How can I in the APM access policy redirect an incoming connection from a specific URI to a specific idP hosted on the F5?&nbsp;
Right now the access policy is quite simple: &nbsp;
Start &gt; SAML Auth &gt; Successfull (Allow)
                    Fallback (Deny)&nbsp;
Should I use advanced resource assign based on landinguri? And how do I do that properly?&nbsp;
Regards&nbsp;
Robert&nbsp;

stanislas_piro2 · Answer

Hi,
you must create an empty box with multiple branches... expression of SP sp1.company.com must be:
expr { [mcget {session.server.network.name}] == "sp1.company.com" }

on each branch, add a SAML auth box with dedicated SAML SP profile.

abdessamad1 · Answer

I guess your F5 setup is playing the role of an IdP, but you have multipe IdP objects and want to use them depending on the SP.&nbsp;
In this case I would use an iRule that looks at the Referer header and select the correct IdP with the "WEBSSO::select" command.&nbsp;

Forum Discussion

Access Policy branch rule for multiple SP on same virtual server?

2 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

Check a Virtual Server's SSL Status

Virtual Server graphical App for F5 LTM

Reviewing vulnerability scanner results for an Access Policy Manager (APM) protected Virtual Server

virtual server config

Integrating SSL Orchestrator with Fortinet FortiGate Virtual Edition as a Virtual Wire