SAML SP Initiated Connections

Question

I'm in the process of rolling out APM as a SAML IDP.  Currently, we have 6 applications that are all going to be using SP initiated SAML coming from a external provider which we do not manage.  I have it working with one provider.  My question is, how does APM know which SAML resource to assign a user to if they are all sharing the same IDP?  In my configuration, I have one vip, one access profile, and one IDP, with 6 SP connectors.   I understand from an IDP initiated point of view, a user could simply just click on the SAML resource they want to access.   However, when the SP redirects the user back to my IDP, the access policy has 6 SAML resources under the resource assign.  I don't want the user to have to click anything.  I want them to sign in once and the external page is visible.   &nbsp;
I could create a separate vip per SAML application with a separate profile and IDP.  But is there an easier way to do this?  I guess my bigger question is... how does APM know that a user went to say sharepoint.test.com, and when sharepoint redirects back to the local IDP, not to assign say the office 365 resouce.&nbsp;

michael_jenkins · Answer

In an SP initiated scenario, if you look at the SAML request that comes through (which you can do in Firefox using an addon called SAML Tracer, for example) you'll notice a couple of fields in the request: Issuer (which seems to match to the Entity ID you set in your SAML config in APM) and Assertion Consumer Service URL among others. I'm not exactly sure which one it uses (I think it's the Assertion Consumer Service URL), but the APM matches one of those values with the corresponding External SP Connector to figure out which one to use, and then does it's processing based on that.
Also, within the policy - through the VPE - you can assign resources to users that they should be allowed to access.
Hope this helps.

bradhanson · Answer

Question.. not exactly related. but where can I find the ACS URL that was sent in by the SP?   I need to check to see which service it is returning to to decide what type of authentication is needed (so I need it early in the access policy).   thanks!

Forum Discussion

SAML SP Initiated Connections

2 Replies

Recent Discussions

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

SAML IdP Initiated SSO Denied and Killing Existing Session established through OAuth

Proxy Protocol Initiator

IdP Discovery for IdP Initiated SAML

Enable SAML Service Provider on F5 Distributed Cloud Application

LTM Diameter iRules and Profile Configurations with Support for Server Initiated Request