Forum Discussion
NimbostratusAPM SAML CITRIX Stroefront
Using APM as SAML SP with external Idp connector ADFS.
Followed this article https://devcentral.f5.com/s/articles/citrix-federated-authentication-service-integration-with-apm-24489:
F5 is passing the logonpage to ADFS but not able to pass SSO to Storefront.
APM logs show " Could not find SSO username, check SSO credential mapping agent.
- boneyard
MVP
can you confirm session.saml.last.nameIDValue i assigned the correct value?
Dathiyes it does. Its the the username I used to login.
- boneyard
weird, does the storefront side show something useful, like the username or a hint on a bad password?
- Dathi
It does not go that far. After authenticating at ADFS page , the next page it lands is the storefront logon page with the username in the username field and empty password. It seems as if , its waiting on use to enter the pwd and click LOGON.
- boneyard
most likely because it doesnt appear to the have the username ready, but that is difficult to check via a questions section like this, i would engage F5 support by now. easier to check things for them in a live enviroment.
- Dathi
Thank you yes , I support is involved but they are unable to determine where the problem is. I am not a SAML expert but from what I know, SAML just passes or should pass a token to the citrix storefront. I cannot see where the disconnect is.
- boneyard
i saw another question which triggered something.
which SSO method are you using currently? because if you get a username and password login that will logically fail i believe. you dont pass on the SAML assertion, that gets accepted by big-ip which then has to do passwordless SSO i believe, so Kerberos for example.
- Dathi
the goal is to use SAML and my APM looks like this.
- boneyard
yeah, sorry got confused, you did configure your Citrix Federated Authentication Service (FAS) as described at the start of the article you link at the start?
- Dathi
Yes, its configured. But it only comes into picture when the user attempts to launch an app after successful SSO'ing to storefront. In my case, the SSOing is not happening from F5 APM to Storefront.
dromerotHi Dathi,
Have you able to pass SSO to Storefront? I don't see any traffic from APM to Storefront. Only health check traffic. I see the log "Following rule 'fallback' from item 'Session Variable Assign' to ending 'Allow'" but I don't see any packet from APM to Storefront.
However, I can see the right SAML Assertion and the right username got from IdP in the APM.
Thanks, best regards.
- Dathi
No, actually, it stands as is. F5 tech support was not able to determine the flow or the bottleneck. I am still looking for answers.
- dromerot
Hi Dathi,
Thanks.
On the other hand, I see an iRule in the Virtual Server, which has been added automatically with the iApp and I don't know if I have to delete it.
I've read in the link you posted "12/21/2016 - Removed an iRule that is not needed for SSO to function properly in a complete deployment".
Maybe we have to delete this iRule! I don't know!
Thanks, best regards.
- Dathi
There wasn't any irule set automatically.
- dromerot
OK Dathi,
I've deployed the iApp Citrix VDI 2.4.6 and it set an iRule automatically to the Virtual Server. It is this one:
- Dathi
Yes, I see this as well but removing this has also not helped.
