Forum Discussion
NimbostratusBIGIP as SAML SP with ADFS 2.0 as IdP - Signed Authn Request Failing
Hi all,
I have BIGIP setup successfully as SP for an application. When users connect they are redirected to an appropriate IdP based on landingURI. A new customer has been added to the SAML federation and they use ADFS 2.0 as IdP. The SP successfully redirects these users to their IdP, but the connection fails at this point with an HTTP 404 error.
We have narrowed down the issue to the setting "Signed Authentication Request" in the SP config on the BIGIP. If this is unchecked, everything works ok. Checking this box breaks connectivity consistently.
One of our major problems in troubleshooting this is that the ADFS server doesn't seem to generate any logs with respect to the failed connection. The certificate used to sign the Authn request is brand new and publicly signed. I have supplied the customer with a full chain for the cert (cert + Intermediate CA + root CA) to install in their ADFS, but that did not resolve the issue.
I currently have the full-chain version of the cert in my SP settings under BIGIP as SP > > Security Settings > SP Certificate. Could that be causing a problem? Should it be just the single cert, instead of the chain?
It would be ideal to be able to sign authn requests, so I'm hoping somebody else may have come up against this and could offer some suggestions.
Many thanks.
Setup: BIGIP 11.6.0 HF5
Jad_Tabbara__J1Cirrostratus
Hello BenJ,
In my case, all my Local SP objects are configured with the cert. only.
Maybe you can try to use only the cert. without the chain.
Also you can put the debug mode on apm and reproduce the problem and view /var/log/apm. Maybe you can get more details.