For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jamed_40076's avatar
jamed_40076
Icon for Nimbostratus rankNimbostratus
Nov 04, 2015

APM as SAML SP using existing Virtual Server

Hi,   I'm trying to set up a simple pre-authentication, where for external access, APM will require you to sign in to ADFS before allowing access to a back end resource.   I can successfully l...
BIG-IP Access Policy Manager (APM)
security
jamed_40076's avatar
jamed_40076
Icon for Nimbostratus rankNimbostratus
Nov 04, 2015

Yes, SP-initiated.

The Access Policy is just:

Start -> SAML Auth -> Successful +> Allow
                   -> Fallback   +> Deny

The access profile is pretty much default, single domain, no domain cookie, secure cookie, no SSO configuration.

The Local SP Services is setup as follows:

Entity id: https://service.contoso.com/sp
Assertion Consumer Service Binding: Post
Security Settings: All checked 
SP's Authentication Signing/Assertion Decryption Private Key: service.contoso.com.key 
SP Certificate: service.contoso.com.crt
Same certificate used to encrypt the https://service.contoso.com Virtual Server.

I just used the ADFS template to create the SAML IDP Connector.

Thanks

jamed_40076's avatar
jamed_40076
Icon for Nimbostratus rankNimbostratus
Nov 05, 2015
I found the issue. APM does not play nice with anything STREAM in the HTTP_Response (even when it wasn't doing anything). To fix it I added a rule (if {[HTTP::header value server] contains "/servicename/"}) so that it wouldn't fire during the APM response.