To use IAM with SAML, the Airlock Gateway (WAF) IAM mapping configuration must be adapted as follows:
- Enable the default SAML Allow rule "AuthSamlAllow".
- To support SP-Initiated SSO, add a "Rewrite Response Redirect Location" rule on the IDP mapping (in addition to the default 'Translate Internal Address') as in the following example. The first one is the "Translate Internal Address" rule and may differ on your system depending on configuration:
Redirect URL Pattern: | Replace with: |
|---|---|
&goto=https?%3A%2F%2F(?:(?!%2F).)+%2F%BACKENDPATH%(%2F.*)?$ | &goto=%ENTRYPROTOCOL%%3A%2F%2F%ENTRYHOST%%2F%ENTRYPATH%$1 |
This rewrite rule makes sure that the redirect URL issued by the IDP is translated in such a way that it is correct from a browser's point of view (internal protocol and paths may be different internally and externally).