Forum Discussion
APM IdP SAML config for sharefile
Hi all,
we try configuring a SAML config with an F5 SAML guide. Our system should have F5 as a SAML IdP and sharefile.com as SP. Does anyone has expirience with this architecture?
What we already have:
- F5 APM config:
EntidyID: https://auth.customer.com
binded SP Entidy: https://serviceat.sharefile.com/saml/info Assertion Consumer Service URL: https://serviceat.sharefile.com/saml/acs
- Sharefile config:
Sharefile Issuer: https://serviceat.sharefile.com/saml/info
IdP Issuer: https://auth.customer.com Login URL: https://auth.customer.com/saml/idp/profile/redirectorpost/sso Logout URL: https://auth.customer.com/saml/idp/profile/post/slsWhen the user tries to login on sharefile, he will be redirected to the F5 APM Login Page; after successful Login, the URL https://auth.customer.com/saml/idp/profile/redirectorpost/sso?SAMLRequest=blablabal.... is requested via GET, but there we didn't get any response. - so no redirect to the Consumer Service of Sharefile can be seen.
With the SAML tracer I can see the request to the F5:
https://serviceat.sharefile.com/saml/info
urn:oasis:names:tc:SAML:2.0:ac:classes:Password
Does anyone have an already running SAML configuration like this or has any hints, what we are doing wrong here? It seems to me, that the APM doesn't listen to the requested URL.
Thanks in advance,
Philipp- kunjanNimbostratus
ACS url looks different in the config, though not very sure that itself will break. Are you using metadata from SP to import to APM?
If you can share the logs after enabling debug under 'Local IdP Services', it might help.
- Philipp_StadlerNimbostratus
thanks for your fast answer - i get the following error messages.
maybe I didn't understand anything correct, but the lineJun 30 17:33:10 slot1/shd-adc-1 err tmm[17069]: 014d0002:3: 58d3067c: SSOv2 Error: No SP Connector attached to SAML SSO from assigned SAML resources matching authentication request. If ACS URL is present in authentication request it should match ACS URL from SP Connector. If Issuer is present in authentication request it should match entity_id from SP connector. Jun 30 17:33:10 slot1/shd-adc-1 err tmm[17069]: 014d0002:3: 58d3067c: SSOv2 Error(16) Unable to find SAML SSO/SP Connector object matching SAML Authn Request
https://serviceat.sharefile.com/saml/info
in request shows, that the issuer is the same as configured in APM (External SP connector - General settings - Entity ID).
also the acs URL from the request
AssertionConsumerServiceURL="https://serviceat.sharefile.com/saml/acs?idpentityid=http://auth.customer.com"
is the same as configured in APM (External SP connector - endpoint settings - ACS URL).
Can you please explain, why you think acs is different?
Thanks, Philipp
- kunjanNimbostratus
So the issue should be due to ACS configured in SP connector doesn't match with the one in incoming request. I suspect APM expects to match the full URL including the URI querry parameter.
Try configuring the full ACS URL "
" in the SP connector.https://serviceat.sharefile.com/saml/acs?idpentityid=http://auth.customer.com
With this error are you seeing the logon page? would expect some kind of page error.
- Philipp_StadlerNimbostratus
step forward - thanks, we really have to configure full URL including query parameters for ACS URL on F5 - thanks for that. Now I can also see the POST to the ACS URL to sharefile servers. But then I got redirected to the efault logon page of serviceat.sharefile.com.
regards,
btw: yes, I was able to login on F5 Logon page, but then I got page not found (APM follows through VPE to Allow and the nothing happened any more.
- Philipp_StadlerNimbostratus
for all that will have similar issues or questions: "Signing is Key" !
Thanks for your support, Philipp
- steve_87999Nimbostratus
Hi Philipp,
Are you able to able to post your ShareFile External SP Connector config?
I think I am having issues with the ACS - not sure if I need
https://serviceat.sharefile.com/saml/acs or https://serviceat.sharefile.com/saml/acs?idpentityid=http://auth.customer.com or both??
Cheers,
Steve
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com