APM SAML help...

OK, I got a little farther today. It seems like a lot of what I asked before is working. It redirects to our master login page and authenticates and then redirects back and stops there.

 

So I am wondering if anyone can help me with this part now. I setup the F5 as an SP, we will call that F5sp.x.edu and then I setup test.x.edu as my test VIP. My policy says start->SAML auth-> success or fail... I added that to test.x.edu. When the IdP authenticates it sends me back to F5sp.x.edu, should it return to there and then that knows to return you to test.x.edu or should the IdP return to test.x.edu? I thought I saw somewhere where that was in the settings that you could set up a different return. Then you need a different IdP for each app that you use this for?

 

in my logs I get

 

/Common/F5-As-SAML-SP:Common:6fd8d6c7: Received User-Agent header: Mozilla%2f5.0%20(X11%3b%20Ubuntu%3b%20Linux%20x86_64%3b%20rv%3a60.0)%20Gecko%2f20100101%20Firefox%2f60.0.

 

and then

 

/Common/F5-As-SAML-SP:Common:6fd8d6c7: New session from client IP 1.1.1.1 (ST=actualplace/CC=US/C=NA) at VIP 2.2.2.2 Listener /Common/test.x.edu (Reputation=Unknown)

 

Thanks Joe

 

Try to tail the APM logs:

 

tail -f /var/log/apm

 

And check the errors you receive there, if almost nothing shows up, change the logging level for APM. 9 out of 10 times the reason why SAML fails is quite clear there.

 

Jens, Thanks for the response.

 

So I got to blablabla.mydomain.com which has the F5-As-SAML-SP set at it's Access policy. It is just a simple start->SAML Auth-> success or fail. It redirects me to our login page, I login successfully and get redirected back to my SP where I get connection reset error. It is an nonsecure error for the VIP for the SP f5sp.mydomain.com/saml/sp/profile/post/acs. It's like the SP passes the connection off fine and authentication is fine but on the return from the login page I get blown up by the F5sp vip.

 

Here is what I get in /var/log/apm

 

Jun 12 13:05:16 dc-lb1 notice tmm[28878]: 01490506:5: /Common/F5-As-SAML-SP:Common:6918d4fe: Received User-Agent header: Mozilla%2f5.0%20(Macintosh%3b%20Intel%20Mac%20OS%20X%2010_12_6)%20AppleWebKit%2f537.36%20(KHTML%2c%20like%20Gecko)%20Chrome%2f67.0.3396.62%20Safari%2f537.36.

 

Jun 12 13:05:16 dc-lb1 notice tmm[28878]: 01490500:5: /Common/F5-As-SAML-SP:Common:6918d4fe: New session from client IP 1.1.1.1 (ST=Pennsylvania/CC=US/C=NA) at VIP 2.2.2.2 Listener /Common/blablabla.com (Reputation=Unknown)

 

Jun 12 13:07:13 dc-lb1 notice tmm1[28878]: 01490502:5: /Common/F5-As-SAML-SP:Common:0d986505: Session deleted due to user inactivity.

 

Jun 12 13:07:14 dc-lb1 notice tmm[28878]: 01490502:5: /Common/F5-As-SAML-SP:Common:09f781f0: Session deleted due to user inactivity.

 

Does "(Reputation=Unknown)" matter? That's all I see in there that means anything.

 

Thank you Joe

 

I can see I have stumped the gang on this? Or our SAML APM guys are on vacation. Oh well I'm gonna keep posting. So I did a tcpdump and searched on host and used the IP of my SP or the IP of my test machine I get the same info. Interesting, I captured the message back to my IP testing and I got a reset which I see in my browser. The reason for this is rst_cause="[0x23e54b4:4135] No server selected". In the configuration doc it never mentions adding a pool or any other attributes to the Virtual server for the F5 as sp-vip. How do I assign a server or how does it know to get back to the proper server. I feel like I am missing something very simple here but I am missing it by a mile!

 

Any help? Thanks Joe