Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Heath_H
Contributor

Mobile Access - URL Rewrite Support for Web Apps that use SAML SSO

I'm trying to put web apps in Mobile Access that leverage SAML based SSO (we use Okta, but it's the same for any SAML SSO provider).

 

The challenge is, that the application redirects to the SAML IdP just fine, but when the IdP redirects back to the relying party (SP), it is using the configured Relying Party URL.  So we need to send the IdP traffic through Mobile Access in order for MAB to be able to rewrite those URLs as they contain the SAML assertion that needs to go to the SP.

I have tried adding the SAML IdP URL as a web application and including it in the rules.  This almost works, but it seems that the URL rewriting code is either not able to or just isn't updating the SRI in the URL causing the browser to not load it as the SRI value doesn't match the rewritten URL.

I had a TAC case opened with my Diamond Engineer (6-0002161253), but it got closed in the transition from one engineer to another because the debugs that I had provided to the case got lost and I didn't want to go through an gather debugs all over for something that I clearly documented as an issue with the MAB URL rewrite.

I wanted to ask the community if anyone had been able to successfully add a web application to MAB that used SAML authentication and, if so, now.

Thanks,

heath

4 Replies
PhoneBoy
Admin
Admin

This may not be supported.
@MaksimBahunou can you confirm?

0 Kudos
MaksimBahunou
Employee
Employee

@PhoneBoy , you are right. Such configuration is not supported.

0 Kudos
Heath_H
Contributor

So what is the answer for that situation as more and more applications are leveraging SSO, including internal ones.  Further, SRI is a security measure and I only see it's use increasing in web-based applications.

Is the recommendation to move to something like an F5 in a DMZ that better handle URL rewriting for internal web applications coupled with SSO and MFA and just avoid the need for an SSL VPN entirely?

0 Kudos
PhoneBoy
Admin
Admin

We have a different solution that handles this use case better called Harmony Connect.
The deployment/management model is a bit different, but it achieves the same result.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events