Forum Discussion

jnowlin_44976's avatar
jnowlin_44976
Icon for Nimbostratus rankNimbostratus
Aug 21, 2015

SAML IDP-initiated without webtop

so i have 1 SP initiated SAML setup and working. i have another request to setup an IDP initiated SAML connection. i have get it to work successfully following the guide but after signing into the F5 the users have to click the link in the webtop. from research i know i should be able to send them directly to the correct SAML resource but i have not been able to figure it out. any help would be great?

 

this is the guide i followed https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-saml-config-guide-11-3-0/2.htmlunique_882574450

 

  • yes i was doing both SP-initiated and IDP initiated on the same VIP. this was according to the guide and made sense so i only have 1 url for saml.

     

  • Are you doing SP and IdP on a single VIP?

    An SP-initiated SAML auth doesn't require a resource assignment either. It's just:

    start -> SAML Auth -> allow
    

    That's assuming the SAML SP is on one VIP and your IdP is on another.

  • but if i remove the advanced resource assign from the VPE my SP-initiated SAML application stops working. maybe i am missing something but i followed the F5 guide for supporting both SP and IDP initited SAML.

     

    my setup is as follows: 1 virtual server 1 access profile 1 access policy 2 saml local IDP services 2 saml external SP Connectors 2 saml resources

     

  • That's what I'm saying. Your IdP visual policy could look like this:

    start -> [auth] -> allow
    

    Apply the SAML IdP config as an SSO profile to that access policy (directly) - no webtop, no resource assignment. You just need to make sure that at some point in the visual policy you populate that Assertion Subject Value session variable.

  • yes i have the SAML working for both my SP-initiated and IDP-initiated. when a user uses the SP-initiated URL they are taken directly to the service providers site. this is how i want the IDP to work as well so users do not have to manually click on the IDP-initiated resource once authenticated.