Forum Discussion

andradejp's avatar
andradejp
Icon for Nimbostratus rankNimbostratus
Mar 25, 2024

APM with EntraID as idP / request signed

Hi experts.

 

I need your help to solve an issue. I'm configuring a new enviroment with BIG-IP version 15.1.8.2 Build 0.0.17 Point Release 2. I have the APM works fine with SSO using EntraID (AzureAD) as idP. Now, I need to enable the request signed (Enforce signed SAML authentication requests - Microsoft Entra ID | Microsoft Learn).

 

I generated the self signed certificate and import it on my app at Azure and my BIG-IP.

 

I changed my config in Access > Federation > SAML Identity Provider and assigned my self signed certificate (pk included) to assign the request.

 

But, I've received the below error by EntraID:

Sign-in error code: 76021

Failure reason: The request sent by client is not signed while the application requires signed requests

 

All attemps was made by browser (SSL VPN).

 

Thank you.

  • From your description it sounds like you are the SP (you send MS the (signed) auth requests) and Microsoft is the IdP (they send back an auth assertion (that should always be signed)). When your BIG-IP is acting as a SAML SP, it uses the "IdP Connector" object to logically connect your local SP service to the remote IdP service. The GUI tries to use simple language to describe the purpose of the setting, "Authentication Request sent by this device to IdP", but SAML has a lot of different settings that can be confusing.

     Here's a screenshot of the GUI for that one:

     

     

  • Hi Lucas, 

    We are stuck in a scenario where F5 APM is the SP and Azure EntraId is the SAML IDP with no FAS, only the storefront. My query, Can this setup work without FAS at the first place ?