SAML IdP is redirecting to the incorrect hostname

This article will discuss how to arrive at the proper hostname after SAML authentication.

Product: LoadMaster

Version: Any

Platform: Any

Application: Any

We have an internal service (browser application). That service uses (public) MS AzureAD SAML for authentication. The Service Provider Identity is the internal FQDN of this service.

We want to implement a virtual service on the LoadMaster that enables public users to access this internal service including the existing SAML authentication. If possible we want the KEMP to authenticate via SAML before the request is forwarded to the real server where it is authenticated again.

We configured a public DNS name for the internal service and pointed that to a public IP which is then NATed to the IP of our LoadMaster.
We created a virtual service on the LoadMaster and also added client side SSO configuration for SAML.
In the end we managed to let the request hit the LoadMaster and being authenticated. But then the browser is redirected to the internal FQDN of our service. I believe this is because the SAML config for the application has the internal FQDN set as SP Identity.

Do you have any hints for such a scenario? Can we somehow work around this?

Navigate to Virtual Services > Manage SSO > modify the desired SSO > populate the FQDN the client is browsing to in the SP Entity ID field > click Set SP Entity ID. This should have the format of https://<PublicFQDN>/ or http://<PublicFQDN>/, respectively.

The user will be redirected to the value of the SP entity ID field.