F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Ingebrigt_Maurs's avatar
Ingebrigt_Maurs
Icon for Nimbostratus rankNimbostratus
Nov 02, 2014

APM as a SP, with multiple IDP connectors, both IDP and SP initiated

Hi !   How to configure APM as a SP, with multiple IDP connectors receiving both IDP and SP initiated requests?   My rig   I'm using APM as a SP. My SP should support multiple IDP's, and bot...
BIG-IP Access Policy Manager (APM)
security
Ingebrigt_Maurs's avatar
Ingebrigt_Maurs
Icon for Nimbostratus rankNimbostratus
Nov 04, 2014

Hi Arnaud!

 

I use BIG-IP version 11.6.0 build 0.0.401 Final

 

My issue is not the same as SOL15756, but fails in a similar manner.

 

Interestingly, I also experience SOL15756

 

  1. I use Postman to send an IDP initiated assertion to BIG-IP
  2. I kill the session using Manage Sessions -> Kill selected Sessions
  3. I use Postman to send a new IDP initiated assertion.

This will fail as described in SOL15756. If I retry step 3, it succeeds.

 

I found a workaround for SOL15756. If I clear my browser cache before step 3, the problem does not happen. I believe the cause of SOL15756 must be some problem with how BIG-IP handles clients when the serverside session has been deleted. When this happens I think serverside variables (like session.saml.last.result ) are not properly populated.

 

The problem I experience is similar, it is caused by BIG-IP serverside variables not always being populated as required by my APM logic.

 

The reason the session variables are not populated is different in my scenario. In my scenario the cause is that IDP initiated and SP initiated requests populate serverside variables (like session.server.landinguri ) differently. This creates a problem when I want to match requests to different IDP Connectors using Matching rules.