Forum Discussion

gogreen's avatar
gogreen
Icon for Nimbostratus rankNimbostratus
Nov 16, 2020
Solved

Decode SAML Response from IDP Server

Here is the traffic Flow :

 

SP<===========>F5(VS/Pool)<=============>IDP Server(s)

 

In this, SP see F5 as IDP ( F5 is acting as a proxy in front of IDP servers), Using irules, how can I extract one of the attributes from the SAML response sent from IDP ?

  • Hello Gogreen.

     

    F5 has native iRules (v14.1+) to manage SAML assertion when it works as SP or IDP.

    • ACCESS_SAML_AUTHN – authentication request
    • ACCESS_SAML_ASSERTION – assertion
    • ACCESS_SAML_SLO_REQ – single logout request
    • ACCESS_SAML_SLO_RESP – single logout response

     

    In your case (being a proxy) and assuming that your are offloading traffic (SSL Bridging), your only chance is to manage that communication as a regular HTTP connection with headers and payload, where SAML assertion will be located in the payload section (coded in base64).

     

    Regards,

    Dario.

3 Replies

  • Hello Gogreen.

     

    F5 has native iRules (v14.1+) to manage SAML assertion when it works as SP or IDP.

    • ACCESS_SAML_AUTHN – authentication request
    • ACCESS_SAML_ASSERTION – assertion
    • ACCESS_SAML_SLO_REQ – single logout request
    • ACCESS_SAML_SLO_RESP – single logout response

     

    In your case (being a proxy) and assuming that your are offloading traffic (SSL Bridging), your only chance is to manage that communication as a regular HTTP connection with headers and payload, where SAML assertion will be located in the payload section (coded in base64).

     

    Regards,

    Dario.

    • please flag the question as answered if it was, it helps other recognize the status.