Intercept SAML assertion if IdP uses a fixed ACS URL

The proxy intercepts SAML authentication responses containing a static ACS URL. It processes the SAML response and redirects the SAML assertion to the authentication server, which provides the Assertion Consumer Service.

Nested library rule set – Intercept SAML assertion if IdP uses a fixed ACS URL
CriteriaCommand.Name equals "POST" AND URL.Path is in list SAMLAuthResponseList
Cycles – Requests (and IM)
Note: To configure the list of fixed ACS URLs, click SAMLAuthResponseList.

This rule set contains the following rules.

Handle incoming SAML response

Rule element Definition
Criteria Always
Action Continue
Events

Set Authentication.Token = Request.POSTForm.Get ("SAMLResponse")

Set Authentication.SAML.RelayState = Request.POSTForm.Get ("RelayState")

The proxy retrieves the SAML response and RelayState parameter from the POST form sent by the external Identity Provider. It stores the response in the Authentication.Token property and the RelayState in the property Authentication.SAML.RelayState. When the Identity Provider does not support dynamic URLs, the proxy uses the URL returned in the RelayState to restore the dynamic authentication server URL.

Redirect SAML assertion to authentication server

Rule element Definition
Criteria Always
Action Block <SAMLRedirectToAuth>
Events HTTP.SetStatus (200)

After restoring the dynamic authentication server URL, the proxy redirects the SAML assertion (stored in the Authentication.Token property) to the authentication server and sets the HTTP status code to 200 (OK). To provide custom settings for logging purposes, click <SAMLRedirectToAuth>.