ADC as SAML IDP need SP Info from Assertion

[Joseph Tuttle]

Hi,

 

In the process of implementing ADC for SSO and as a SAML IDP. I have found a situation where when referred to ADC AAA by the SP for authentication, I need to be able to determine the URL that referred the traffic to the AAA. However, no such value seems to exist in most SP POST headers going to /saml/login to determine this. No referrer, etc.

 

However, I do see plenty of usable information in the actual assertion XML that comes from the SP. Is there any way to grab any of these values from the assertion XML and bring that value into the policy engine for evaluation? 

 

Thanks!

[Oriol Agullo1709161375]

Hi,

 

You can use the atributes of the assertion XML.




For example, if I want use the first attibute, within the SAML Server, I have that add the first oid.



 

[Joseph Tuttle]

6 hours ago, Oriol Agullo1709161375 said:

Hi,

 

You can use the atributes of the assertion XML.




For example, if I want use the first attibute, within the SAML Server, I have that add the first oid.



 

 

 

Not sure if we are quite looking at the same thing. I am using ADC as an IDP and lets say... Sharefile as an IDP for an example. User goes to Sharefile site and clicks login and is redirected to our AAA with a XML SAML request in the form of a POST. Something like:

 

 

My intent is to grab the the Assertion URL (XXXX.sharefile.com) and use it as part of a rewrite action. Obviously, I can grab a traditional HTTP REQ header or content value and use it in a Responder policy or the like, but the Service Provider HTTP request headers for he request do not contain the identifying information I need. The SAML data does.

 

Does this make more sense?

 

 

[Joseph Tuttle]

Solved by Ross Bender:

 

https://discussions.citrix.com/topic/412142-determine-nfactor-flow-based-on-saml-idp-profile/