Hello, I have the BIG-IP virtual environment and I am trying to set up APM as a SAML SP. I've followed this KB to set it up successfully. However, I'm having a lot of trouble with the virtual server side of things. My understanding is that the virtual server is hit from a request from an IdP, and then the virtual server kicks the access policy into gear, then authenticating the user against the BIG-IP system. My issue is, my virtual server is not accessible, so when I try to complete the SAML authentication, I see that the connection has timed out. I have done the following: Configured an access policy for SAML SPConfigured a virtual server with an IP address on a different VLAN than the one that BIG-IP resides onConfigured an external IdPConfigured a SAML SP serviceConfigured a VLAN I'm not fully sure if the VLAN setup is correct, I had spoke with someone at F5, and they vaguely explained that I needed to have a VLAN set up inside my system, and that would allow for me to dedicate an IP to the virtual server. I've ssh'd into the box, and I can ping the IP of the virtual server successfully. It appears that I have all of the necessary components to complete this task, however, I have been fighting for a few days trying to figure out what the issue is. I think it's important to note that my virtual server usually is displaying a status of unknown. However, I've created a pool, and once I did that, I see that server status is now available. Currently I can see traffic to the virtual server, but still not able to access it from anywhere. The link I'm trying to hit is something of the nature Any help would be greatly appreciated.

Sorry for delayed response. I was able to get this working correctly. After talking with my networking guy, we discovered we had an issue in our network setup. Once we corrected our network issue, I was able to set up APM as an SP without issue.

Forum Discussion

nland_178813

Nimbostratus

Dec 16, 2014

APM as SAML SP

Hello, I have the BIG-IP virtual environment and I am trying to set up APM as a SAML SP. I've followed this KB to set it up successfully. However, I'm having a lot of trouble with the virtual server side of things. My understanding is that the virtual server is hit from a request from an IdP, and then the virtual server kicks the access policy into gear, then authenticating the user against the BIG-IP system. My issue is, my virtual server is not accessible, so when I try to complete the SAML authentication, I see that the connection has timed out.

I have done the following:

Configured an access policy for SAML SP
Configured a virtual server with an IP address on a different VLAN than the one that BIG-IP resides on
Configured an external IdP
Configured a SAML SP service
Configured a VLAN

I'm not fully sure if the VLAN setup is correct, I had spoke with someone at F5, and they vaguely explained that I needed to have a VLAN set up inside my system, and that would allow for me to dedicate an IP to the virtual server. I've ssh'd into the box, and I can ping the IP of the virtual server successfully.

It appears that I have all of the necessary components to complete this task, however, I have been fighting for a few days trying to figure out what the issue is. I think it's important to note that my virtual server usually is displaying a status of

unknown

. However, I've created a pool, and once I did that, I see that server status is now

available

. Currently I can see traffic to the virtual server, but still not able to access it from anywhere. The link I'm trying to hit is something of the nature

Any help would be greatly appreciated.

BIG-IP Access Policy Manager (APM)

saml

security

nland_178813
Jan 19, 2015
Sorry for delayed response. I was able to get this working correctly. After talking with my networking guy, we discovered we had an issue in our network setup. Once we corrected our network issue, I was able to set up APM as an SP without issue.

Arnaud_Lemaire
Employee
Jan 19, 2015
Hello, can you share the virtual and network configuration from bigip.conf ?
nland_178813
Nimbostratus
Jan 19, 2015
Sorry for delayed response. I was able to get this working correctly. After talking with my networking guy, we discovered we had an issue in our network setup. Once we corrected our network issue, I was able to set up APM as an SP without issue.
- ebeng_278441
  Altocumulus
  May 09, 2017
  Can you please share some config of your APM policy and SP settings?
AN
Nimbostratus
Jan 05, 2017
@nland

I am planning to configure (ADFS as iDP and F5 APM as SP). I have APM Policy as

Start -> SAML Auth -> SSO Credentail Mapping -> Allow

Deny

I imported XML file from ADFS into External Idp Connectors under SAML-> BIG IP as SP

Local SP Services configured as following: General Setting ~~~~~~~~~~~~~~~ Name: F5-SP Entity ID: https://login.example.com SP Name Settings: Scheme: https Host: login.example.com

Endpoint Settings: ~~~~~~~~~~~~~~~~~ Assertion Consumer SErvice Binding: POST

Security Settings: Checked "Authentication Request" (certificate and Keys are selected different than ADFS) Checked: Want Signed Assertion Unchecked: Want Encrypted Assertion

Advanced Setting: Unchecked: Force Authentication Checked: Allow Name-Identifier Creation

Name-Identifier Policy Format: urn:oasis:names:tc:SANL:1.1:nameid-format:WindowsDomainQual...

SP Name-Identifier Qualifier: None

I am getting following error: /frontend/F5-SP:frontend:dbad7144: Executed agent '/frontend/F5-SP_act_saml_auth_ag', return value 3 /frontend/F5-SP:frontend:dbad7144: Session variable 'saml./frontend/F5-SP_act_saml_auth_ag.SAMLRequest' set to 'hhhhhhhhhhhhXXXXXX' /frontend/F5-SP:frontend:dbad7144: SAML Agent: /frontend/F5-SP_act_saml_auth_ag SAML assertion is invalid, error: Assertion status is not successful /frontend/F5-SP:frontend:dbad7144: Executed agent '/frontend/F5-SP_act_saml_auth_ag', return value 0 /frontend/F5-SP:frontend:dbad7144: Following rule 'fallback' from item 'SAML Auth' to ending 'Deny'