Forum Discussion

Florian_G__Furt's avatar
Icon for Nimbostratus rankNimbostratus
Dec 13, 2019

Big-IP SAML2.0 IdP to same SP back-end for multiple host aliases


I'm wondering how it can be achieved to configure SAML2.0 on APM as IdP in a way to prevent No RelayState mapping found for RelayState value xxx errors when coming from an FQDN for which SAML2.0 has not been configured.



Having exporting SP Metadata and importing IdP Metadata based on this host alias, for which SAML2.0 is operating as expected. Now our customer are not able to remind, so we are offering (super easy to remind) but getting back RelayState error, which is obvious because for alias no SP IdP relation has been configured.



Its possible on SP side to configure the IncomingRequest parameters to send the application URL, for example, but it will depend if the f5 IdP can differentiate it and send to the same host that did the request?


There are customers having used a BIG-IP or other appliances which mentioned forwarding requests to the correct SPs based on specific host aliases and Service-URLs. Thus the URL was appropriately masked and rewritten by the reverse proxy. The host header was replaced with the host value extracted from the matched ACS URI of the internal SP.


Would lead to the following example which illustrates the Assertion Consumer Service endpoints for an SP that is only using the SAML2 HTTP-POST



Binding                                                                                Endpoint                                                       Status 

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST             Pre-existing

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST             Need to add


The question is, how to overcome this behaviour which is leading to 'No RelayState mapping found for RelayState value xxx'?


Any help would be greatly appreciated, best wishes



No RepliesBe the first to reply