I recently have multiple SP SSO connections working in the same Access Profile. This works as the user navigates to whichever resource they are requesting. The SAML resources are valued in 'LDAP Group Resource Assign'. I have them valued to AD groups, and this works, in the group you are allowed, not in the group, I get a page cannot be displayed or a long SSO error. Is there a way to display a nice error page around the group failure? Assuming you may be in 3/5 groups for example. (All without a real WebTop) Thank you!

Hi, You can add an empty box and add branches where you check that session.assigned.resources and session.assigned.webtop are not empty.

expression to include in the branch : expr { !([mcget {session.assigned.webtop}] equals "") && !([mcget {session.assigned.resources}] equals "") }

Thanks, that does work if they are not a member of any SAML resource/WebTop. Do you know of a creative way to show a nice deny page if they match at least 1 SAML resource but not the one they are going to? Example, they make it through the policy since they have at least 1 SAML resource, however, they did not initiate the SSO connection at this resource. Therefore, it's a page cannot be displayed or a long SSO error. Maybe an irule that captures general SSO failure? Thanks, Mike

SSO Resource Assignment

12 Replies

Yann_Desmarest_
Nacreous
Jul 28, 2016
Hi,

You can add an empty box and add branches where you check that session.assigned.resources and session.assigned.webtop are not empty.
- Yann_Desmarest_
  Nacreous
  Jul 28, 2016
  expression to include in the branch :
  
  expr { !([mcget {session.assigned.webtop}] equals "") && !([mcget {session.assigned.resources}] equals "") }
- MC_273315
  Cirrus
  Jul 28, 2016
  Thanks, that does work if they are not a member of any SAML resource/WebTop. Do you know of a creative way to show a nice deny page if they match at least 1 SAML resource but not the one they are going to?
  
  Example, they make it through the policy since they have at least 1 SAML resource, however, they did not initiate the SSO connection at this resource. Therefore, it's a page cannot be displayed or a long SSO error. Maybe an irule that captures general SSO failure?
  
  Thanks, Mike
- MC_273315
  Cirrus
  Jul 28, 2016
  This is the error - SSOv2 Error(16) Unable to find SAML SSO/SP Connector object matching SAML Authn Request.
  
  If I could intercept all (SSOv2 Error)s to redirect to a deny/sorry page, that would work. Testing irule logic now.
Yann_Desmarest
Cirrus
Jul 28, 2016
Hi,

You can add an empty box and add branches where you check that session.assigned.resources and session.assigned.webtop are not empty.
- Yann_Desmarest
  Cirrus
  Jul 28, 2016
  expression to include in the branch :
  
  expr { !([mcget {session.assigned.webtop}] equals "") && !([mcget {session.assigned.resources}] equals "") }
- MC_273315
  Cirrus
  Jul 28, 2016
  Thanks, that does work if they are not a member of any SAML resource/WebTop. Do you know of a creative way to show a nice deny page if they match at least 1 SAML resource but not the one they are going to?
  
  Example, they make it through the policy since they have at least 1 SAML resource, however, they did not initiate the SSO connection at this resource. Therefore, it's a page cannot be displayed or a long SSO error. Maybe an irule that captures general SSO failure?
  
  Thanks, Mike
- MC_273315
  Cirrus
  Jul 28, 2016
  This is the error - SSOv2 Error(16) Unable to find SAML SSO/SP Connector object matching SAML Authn Request.
  
  If I could intercept all (SSOv2 Error)s to redirect to a deny/sorry page, that would work. Testing irule logic now.

Forum Discussion

SSO Resource Assignment

12 Replies

Recent Discussions

CWE-20: Improper Input Validation

Errors in setup of BIGIP-NEXT CM VE on KVM

SEEK ADVICE FROM WEB BAILIFF CONTRACTOR ON STOLEN CRYPTO

AS3 Deployments (shared objects)

rSeries and tenant upgrades

Related Content

DevCentral Resources

APM variable assign examples

Mitigating OWASP API Security Risk: Mass Assignment using F5 XC Platform

F5 Resources for COVID-19

Enhanced Modern Applications and MicroServices SSO with NGINX