Forum Discussion

joesnyder_13328's avatar
joesnyder_13328
Icon for Nimbostratus rankNimbostratus
Jun 19, 2014

SAML Idp-Initiated Connections

I am new to the whole SAML thing and have been playing around with it. I have setup my saleforce dev account to work with our BigIp device and it works perfectly. Since I am still super new to this beg my forgiveness if I mix up any terms, and feel free to let me know.

 

I setup a BigIP as Idp for SalesForce and configured all the settings in the Local Idp Service tab. I then created an External SP connector and connected the Service to that connector. I believe that this is SP-Initiated SAML correct? This allows me to use our AAA (AD) to login to SalesForce.

 

Now I am playing with another vendor that only supports Idp-Initiated Connections.

 

My question is how do I go about creating a Idp Initiated Connection to SP?

 

Thanks!

 

BIG-IP Access Policy Manager (APM)
idp
saml
security

20 Replies

Sort By
Show More
  • Kendall_Zaugg_1's avatar
    Kendall_Zaugg_1
    Icon for Nimbostratus rankNimbostratus
    Jul 01, 2015

    Can someone spoon feed me a bit and explain where the iRule supplied by the Milk man would go? Do I add another object in my policy for the iRule: i.e. general purpose::iRule event?

     

    Not sure how to implement this. I have this setup for SP initiated, but struggling with the IdP initiated.

     

    Thanks in advance.

     

  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    Jul 08, 2015

    Just add this iRule to the IdP virtual server in resource configuration

     

  • jerebrad_302050's avatar
    jerebrad_302050
    Icon for Nimbostratus rankNimbostratus
    Jan 27, 2017

    I was given another solution to this problem by my SE. Its written by Graham at F5 who specializes in SAML. https://devcentral.f5.com/articles/apm-cookbook-autolaunch-saml-resources-21377

     

    Here are Graham's comments to our SE regarding the solutions Kunjun and Milkman and why his solution is more complete:

     

    "It only handles the access policy completed event so if they later come back to the existing session it will not fire because that event isn’t hit, that’s why mine has two events to cover the two access scenarios. Also it assumes you always want the user redirected to the same SAML resource, what if you have multiple, that’s why mine leverages a switch."

     

    The benefit of Graham's solution for me was that with Milkman's I had to lower the timeout threshold, because if you closed the site you accessed through SAML, you couldn't access it again unless the previous session was ended. With Graham's solution you can access it even if the previous session isn't closed. He described that scenario above.