So we have an external IdP that is created using the federation information that we can download from our Azure account. https://login.microsoftonline.com/{customer_id_string}/federationmetadata/2007-06/federationmetadata.xml This is imported into the F5 configuration and we are able to use it successfully, my question revolved around they way the F5 support this federationmetadata.xml file we get from Azure. It contains 2 certificate and at different times each certificate can be valid but from the F5 side we can only every select the one. Is there a way on the F5 side to select both certificate on the IdP so will will authenticate no matter which one Azure is configure to use? Thanks Chris

Hi. Usually one is for signing and other is for encryption Signing is usually required to work but encryption is rarely used If imported from metadata names will have different endings

Correct the certificates have the same name but one has an extra "2" in it which I guess signifies it the second certificate that's imported. I've found that we have had to use both certificate at different times but unsure why or if we’re doing something wrong on the Azure side or F5?

Which version are you using ? I'm at 12.1.1 204 I think The other day I was setting up federation with IBM verse and I did find F5 imported incorrectly certs from metadata, maybe is a bug we can report. IBM has two, one for signing, one for encryption. Common names were like IBM_VERSE_S and IBM_VERSE_E. But when I came to the gui, to my surprise both were as IBM_VERSE_E What I did was, edit metadata with notepad, copy text for both certs between < and > and paste with notepad in a .txt and rename to .cer Then I imported back to gui and reassigned them to SP-connector Then certs show correct name and everything begin to work

Do you know the purpose of the cert? Is it for verify signature or encrypt assertion? As Sergi mentioned it could be one for signature verification and other could be for assertion encryption.

Sample IBM metadata. Look at KeyDescriptor use= After this comes the cert between > and < MIIDHDCCAgSgAwIBAgIEUh+uUzANBgkqhkiG9w0BAQsFADBQMQswCQYDVQQGEwJVUzEMMAoGA1UEChMDSUJNMQ4wDAYDVQQLEwVMb3R1czEjMCEGA1UEAxMaTG90dXNMaXZlIFNlcnZpY2UgUHJvdmlkZXIwHhcNMTMwODI5MjAyNTU1WhcNMzUwNzI1MjAyNTU1WjBQMQswCQYDVQQGEwJVUzEMMAoGA1UEChMDSUJNMQ4wDAYDVQQLEwVMb3R1czEjMCEGA1UEAxMaTG90dXNMaXZlIFNlcnZpY2UgUHJvdmlkZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLWsd/pWy8A5qoZTjL5WzH/+/XHEe3MhupsY9xld1EgVd7ybCDI91uee+ZOxZh3EtMF6u54K8atQ7k61OnylpxVwWeqbck0C6eN/HzZbaOIu/GR4nFTSLl7J1j8DKGHxvyTsX1INS0Ba9s66mJVzDxa9LFN8RNQHmY9EeZ58IaQmNRnjDffT3AjBFITFlYlKxiVTp+zPh0iLqlB7dBYUYLyO11OhjPzTmH5wwgaz1eEtLbtukMW18wI0snzPLVqC7Rom6hHy7L6v+PHII19p7RmfHOZqcpe+pEZYgVhpX+gljJLwkGWEgsFKy/OsnTUOITtBQtCFnK5Kffeiq1RneZAgMBAAEwDQYJKoZIhvcNAQELBQADggEBABgY0tAwLkXyrywqnlT70KDuAlZF7XduXQpu/G1n7z4fMqELHU8qLLMIFcm5Ci+Dx8K53LPImVEI+jnMf9+av4d+tEOewXGUK9lg5HPMUZNvWr6559Ha0OGf8FmfDKmCqlfJJ1CJan/zLrw0wcCQBztXG7a79Q+S+LYVvh02CmB5iZ/+NEo6x3K5nv49r6/GhHLKj2YU1VHnF8PWHDW+9H6xNkKOYAbV0+FV72ZPCDW0mMN0MdziNn4wG5+Eq9XXl4ClUm6DH6KeuRxtaJsga3Hd9avgsr9cf4yh2bIF9KfMLBI/ER+xf/Q6RY2cDyS036hKkA92qy6SvKeUMCTj6GI= MIIDNjCCAh6gAwIBAgIEUh+uVTANBgkqhkiG9w0BAQsFADBdMQswCQYDVQQGEwJVUzEMMAoGA1UEChMDSUJNMQ4wDAYDVQQLEwVMb3R1czEwMC4GA1UEAxMnTG90dXNMaXZlIFNlcnZpY2UgUHJvdmlkZXIgLSBFbmNyeXB0aW9uMB4XDTEzMDgyOTIwMjU1N1oXDTM1MDcyNTIwMjU1N1owXTELMAkGA1UEBhMCVVMxDDAKBgNVBAoTA0lCTTEOMAwGA1UECxMFTG90dXMxMDAuBgNVBAMTJ0xvdHVzTGl2ZSBTZXJ2aWNlIFByb3ZpZGVyIC0gRW5jcnlwdGlvbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANBgpwmfaLDGGWyzDtJ2PC8TQ1KWaaOJTr4DRxphW1lzLVw0YZtwe0Ig1aO53NK5zzXXROcBLJGgULYdOzyGY7BCKac1pFhuwaGHJvfCc6iVElsuU5r1bpU7yUmIX3Of9kjXMgtCREDiXRrHxJZy+TFuZYikvYgpsTCkTA4v182rehLlvcO60Vu6sAwzsZbJ7h4XsyIk0Cr5Vzj8wVyr8j/CzdFSufVIefeee5PpiHjSYHFQ2RoJo83o+g/WujCpgj6w62Tk4hA4UGZM3XRy0EKvyR4QdQsIbRh9pASBqXNK5/Jn7AJzqWGSuOuXhWORXFveia0UwSdYMR6GmSJDcqkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAJcZF+jwK/xnOswRUyLvkXdpU2ShKKwAlVMburH47zMeQ4oi1RWXa2PexbRk/LQUHC+6cWPUQ6ySQlHF73JEsVNw/rFfRyBIeHNibo+sIkkPZqymlm8SP9UZqgAriyVIqkvnqytRTm2+vsAIMv7/38XPXfHugDyxa0156reOh+rMIGznFUhawNOYsrfFC8YS7impwMjTgXxGvNrBOUKblM1vP4ftfS8JZFbehmjqCG4+aBJAKfY/4sCobksj/DzrFSH6t82ZhrH7V5MXmZ5VdU4On5FxIC4lZKq6wQCZfQnVR8cfCQWyGhFU2lXxNTUHpyfPp0U/Nj5/0aWQ+xyr4bA== ' target="_blank" rel="nofollow">http://www.w3.org/2001/04/xmlencrsa-1_5"/>;

Azure SAML IdP | DevCentral

18 Replies

Chris_Guthrie
Nimbostratus
Mar 27, 2017
So I can post this link to the file but unsure if this is secure to do or if the federation info is public domain?
Chris_Guthrie
Nimbostratus
Mar 27, 2017
So after we after hotfix we got from F5 the issue happened once and I switch to the other certificate, its not been an issue since but I don't no how often the certificate changes to be sure.
Sergi_Munyoz_24
Nimbostratus
Mar 27, 2017
Hi Chris. I was thinking on idp not sp. I have experience with idp not sp, but usually read both types of metadata. So if I understand you are publishing sharepoint with F5 as SP against ADFS as IdP, is this correct ? Metadata is usually public as does not involve private keys, users or passwords, but you can mask your domain names as "yourcompany.com" f.ex. Also you can cut some parts of the certs on the file , but sure if they are from MS they are public
kunjan
Nimbostratus
Mar 27, 2017
I think after the fix this cert changed should have automated. Next time if the issue happens you can try 'bigstart restart samlidpd'. If that fixes the issue, probably the issue persists. You also can check /var/log/saml_automation.log for any errors.
Sergi_Munyoz_24
Nimbostratus
Mar 28, 2017
Hi Chris. I'm not able to test import of this on my F5, due to text format I suppose... Assuming SAML begins from: "IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" I can see 3 certificates, where 2 self-signed referring to CN=accounts.accesscontrol.windows.net are almost equal in parameters (with 2 weeeks of difference in issuing date, same key lenght,...) So I think is impossible to say which one is right unless you ask it to metadata issuer (Mr. MSft), or unless Idp Automation (no experience with this) chooses the right one for you
- Chris_Guthrie
  Nimbostratus
  Mar 28, 2017
  Yeah I kind of agree with what your saying (it's between those 2 certs I've been switching) been trying to get that answer from MS still working that side. Thanks
- Sergi_Munyoz_24
  Nimbostratus
  Mar 28, 2017
  No other way to solve it I think. Good luck with the question
- kunjan
  Nimbostratus
  Mar 28, 2017
  Checking further shows MS also mention about this.
  
  https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-federation-metadata
  
  A federation metadata document published by Azure AD can have multiple signing keys, such as when Azure AD is preparing to update the signing certificate. When a federation metadata document includes more than one certificate, a service that is validating the tokens should support all certificates in the document.
  
  I don't think APM support this. May want to raise a support case.

Forum Discussion

Azure SAML IdP

18 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Cisco TACACS+ Config on ISE LTM Pair

Illegal Metacharacter in Parameter Name in Json Data

AS3 declaration to set cookie to preferred

SSL Bridging and FQDN rewrite Policy

Checking for X-Forwarded-For against an Address Data-Group

Related Content

APM Cookbook: SAML IdP Chaining

Sharing User Credentials Between SAML IDP and SP Policies in F5 APM

SAML: F5 as SP, Azure as IdP Problems with SLO

NGINXaaS for Azure: Azure Key Vault

APM SAML IdP - SP Issuer Extraction

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS