Authentication server request

The rules in this rule set apply to the authentication server when it manages SAML authentication using an external Identity Provider. The authentication server processes the SAML authentication response, but does not set the cookie in this rule set. Cookie authentication is handled by the rules in the Cookie authentication at HTTP(S) rule set instead.

Nested library rule set – Authentication server request
CriteriaAuthentication.IsServerRequest equals true
Cycles – Requests (and IM)

This rule set contains the following rules.

Redirect clients that have a valid cookie

Rule element Definition
Criteria Authentication.Authenticate <Authentication Server - Cookie Check> equals true
Action Redirect <Redirect Back From Authentication Server>
Events None

The authentication server redirects users having a valid cookie to the proxy. To change the cookie checking settings used by the authentication server, click <Authentication Server - Cookie Check>. To provide custom settings for logging purposes, click <Redirect Back From Authentication Server>.

Prepare fixed ACS URL

Rule element Definition
Criteria Always
Action Continue
Events Set User-Defined.SAMLUrlRewrite = URL.Protocol + "://" + URL.Host + "- enter your URL here -"

You can configure a static ACS URL for external Identity Providers who do not support dynamic URLs in this rule. If set, this value must match the ACS URL value configured in the SAML Response settings.

POST SAML authentication request

Rule element Definition
Criteria Command.Name does not match POST
Action Block <SAML request>
Events

Set Authentication.SAML.RelayState = URL

Set Authentication.Token = Authentication.SAML.CreateAuthnRequest

(User-Defined.SAMLUrlRewrite)<SAML Request>

HTTP.SetStatus (200)

The authentication server sends the RelayState parameter and SAML authentication request in a POST form to the external Identity Provider. The RelayState parameter saves the value of the authentication server URL at the time the request is created. The request is created using values configured in the Web Gateway interface. The authentication server then sets the HTTP status code to 200 (OK). To change the SAML authentication request configuration, click <SAML Request> in this event.

Handle SAML authentication response

Rule element Definition
Criteria Command.Name equals "POST"
Action Continue
Events

Set Authentication.Token = Request.POSTForm.Get ("SAMLResponse")

Set Authentication.IsAuthenticated =

Authentication.SAML.ParseAuthnResponse ("POST",

User-Defined.SAMLUrlRewrite,

Authentication.Token) <SAML Response>

This rule retrieves the SAML response in the POST form sent by the external Identity Provider and stores it in the Authentication.Token property. It parses the response and returns a TRUE value if the response is valid and a FALSE value if it is not. To change the SAML authentication response configuration, click <SAML Response>.

Block invalid SAML response

Rule element Definition
Criteria Command.Name equals "POST" AND Authentication.IsAuthenticated equals false
Action Block <Authorized Only>
Events None

After the SAML response is parsed, this rule checks the value of the property Authentication.IsAuthenticated. If the property is false, the SAML response is invalid and processing of the response is blocked. To provide custom settings for logging purposes, click <Authorized Only>.

Set user name and groups

Rule element Definition
Criteria Always
Action Continue
Events

Set Authentication.UserName = Map.GetStringValue (Authentication.SAML.Attributes, "userId")

Set Authentication.UserGroups = String.ToStringList (Map.GetStringValue (Authentication.SAML.Attributes, "userGroup"), ", ", "")

This rule maps the SAML attributes "userId" and "userGroup" to the Authentication.UserName and Authentication.UserGroups properties, respectively. You can use the rule editor to change the names of the SAML attributes that are mapped to the authentication properties.

Block empty user name

Rule element Definition
Criteria Authentication.UserName equals ""
Action Block <Authorized Only>
Events None

If the user name property is empty, this rule blocks processing of the response. To provide custom settings for logging purposes, click <Authorized Only>.

P3P header to permit third party cookies in Internet Explorer

Rule element Definition
Criteria Always
Action Continue
Events Header.Block.Add ("P3P", "CP="NOI CUR OUR STP STA"")

The P3P string is required for the Platform for Privacy Preferences Project (P3P). The string must match the privacy settings in the user's browser. If the P3P string is not updated as shown in the table and the browser is Internet Explorer, processing fails.

Redirect authenticated client back to proxy

Rule element Definition
Criteria Always
Action Redirect <Redirect Back From Authentication Server>
Events None

According to the final rule in the rule set, the authentication server redirects the authenticated user back to the proxy. To provide custom settings for logging purposes, click <Redirect Back From Authentication Server>.