Forum Discussion
NimbostratusAPM as SAML SP using existing Virtual Server
Hi,
I'm trying to set up a simple pre-authentication, where for external access, APM will require you to sign in to ADFS before allowing access to a back end resource.
I can successfully log in, and my access policy goes to the "Allow" state, but I still can't view the resource. I end up at https://service.contoso.com/saml/sp/profile/post/acs, but that page doesn't return anything back.
When I remove the access policy from the virtual server, the virtual server works fine.
Is there anything I have to do to use the same virtual server for both the resource and the SAML SP?
We're running BIG-IP 11.6.0 .
I'm using this documentation: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-saml-config-guide-11-3-0/4.html
Thanks
3 Replies
Michael_Koyfma1Cirrus
Are you doing SP-initiated login? Can you post a copy of your access policy?
jamed_40076Yes, SP-initiated.
The Access Policy is just:
Start -> SAML Auth -> Successful +> Allow -> Fallback +> DenyThe access profile is pretty much default, single domain, no domain cookie, secure cookie, no SSO configuration.
The Local SP Services is setup as follows:
Entity id: https://service.contoso.com/sp Assertion Consumer Service Binding: Post Security Settings: All checked SP's Authentication Signing/Assertion Decryption Private Key: service.contoso.com.key SP Certificate: service.contoso.com.crt Same certificate used to encrypt the https://service.contoso.com Virtual Server.I just used the ADFS template to create the SAML IDP Connector.
Thanks
- jamed_40076I found the issue. APM does not play nice with anything STREAM in the HTTP_Response (even when it wasn't doing anything). To fix it I added a rule (if {[HTTP::header value server] contains "/servicename/"}) so that it wouldn't fire during the APM response.
