Forum Discussion
APM with EntraID as idP / request signed
Hi experts.
I need your help to solve an issue. I'm configuring a new enviroment with BIG-IP version 15.1.8.2 Build 0.0.17 Point Release 2. I have the APM works fine with SSO using EntraID (AzureAD) as idP. Now, I need to enable the request signed (Enforce signed SAML authentication requests - Microsoft Entra ID | Microsoft Learn).
I generated the self signed certificate and import it on my app at Azure and my BIG-IP.
I changed my config in Access > Federation > SAML Identity Provider and assigned my self signed certificate (pk included) to assign the request.
But, I've received the below error by EntraID:
Sign-in error code: 76021
Failure reason: The request sent by client is not signed while the application requires signed requests
All attemps was made by browser (SSL VPN).
Thank you.
- Lucas_ThompsonEmployee
From your description it sounds like you are the SP (you send MS the (signed) auth requests) and Microsoft is the IdP (they send back an auth assertion (that should always be signed)). When your BIG-IP is acting as a SAML SP, it uses the "IdP Connector" object to logically connect your local SP service to the remote IdP service. The GUI tries to use simple language to describe the purpose of the setting, "Authentication Request sent by this device to IdP", but SAML has a lot of different settings that can be confusing.
Here's a screenshot of the GUI for that one:
- tipsingh80Nimbostratus
Hi Lucas,
We are stuck in a scenario where F5 APM is the SP and Azure EntraId is the SAML IDP with no FAS, only the storefront. My query, Can this setup work without FAS at the first place ?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com