Use iRules to validate signed payload
I am working on an Okta implementation for a website behind a BigIP. Note we do NOT have the APM so this is just LTM and any iRules I need to write.
The issue is I receive a message as a posted parameter to the webapp. The field is called SAMLResponse. In Okta, we signed the assertion (SAMLResponse data) with a certificate (all Base64 encoded). I understand the idea of validating a client certificate but the piece that puzzles me is that tall the cert data is in this SAMLResonse variable. So for me to use any iRules statements to deal with the certificate, I presumer I have to load that so I can check various fields.
My thought is something like this:
- I load the Okta certificate they used to sign the SAMLResponse into the BigIP, then I can assign that I have to someone dissect this SAMLResponse parameter to let the BigIP check the items was properly signed. If so, I can pass the identifying data to the BigIp (email in this case).
Am I on the right track? I would appreciate if anyone has done something where they use the BigIP to validate a payload has been signed with the cert and not tampered with.
I know there is plenty of info on Okta and BigIP available, but it all seems centric to the APM. I am really just trying to use the BigIP to validate the data signing versus an SAML provider endpoint as the APM examples illustrate.