APM with EntraID as idP / request signed

Question

Hi experts.&nbsp;I need your help to solve an issue. I'm configuring a new enviroment with BIG-IP version 15.1.8.2 Build 0.0.17 Point Release 2. I have the APM works fine with SSO using EntraID (AzureAD) as idP. Now, I need to enable the request signed (Enforce signed SAML authentication requests - Microsoft Entra ID | Microsoft Learn).&nbsp;I generated the self signed certificate and import it on my app at Azure and my BIG-IP.&nbsp;I changed my config in Access &gt; Federation &gt; SAML Identity Provider and assigned my self signed certificate (pk included) to assign the request.&nbsp;But, I've received the below error by EntraID:Sign-in error code: 76021Failure reason: The request sent by client is not signed while the application requires signed requests&nbsp;All attemps was made by browser (SSL VPN).&nbsp;Thank you.

lucas_thompson · Answer

From your description it sounds like you are the SP (you send MS the (signed) auth requests) and Microsoft is the IdP (they send back an auth assertion (that should always be signed)). When your BIG-IP is acting as a SAML SP, it uses the "IdP Connector" object to logically connect your local SP service to the remote IdP service. The GUI tries to use simple language to describe the purpose of the setting, "Authentication Request sent by this device to IdP", but SAML has a lot of different settings that can be confusing.
&nbsp;Here's a screenshot of the GUI for that one:

&nbsp;
&nbsp;

Forum Discussion

APM with EntraID as idP / request signed

1 Reply

Recent Discussions

URL

Portal Access to HTTPS resources slow

HOW TO HIRE A HACKER TO RECOVER STOLEN BITCOIN. CONTACT FASTFUND RECOVERY

Big-IP Next 20.2.0-2.375.1+0.0.43 iRule count problem

rewrite Azure AD response for portal access via web portal

Related Content

POC: Create and sign a JWT with iRule

AS3 signed rpms

Logging DNS Requests

use irule to sign data using sha256

Zero Trust building blocks - Leverage F5 NGINX Plus Single Sign-On (SSO) and F5 XC