For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

rgordon_01's avatar
rgordon_01
Icon for Nimbostratus rankNimbostratus
Sep 11, 2018

Can SAML request issuer and SP connector entity id be different

Here's my problem. Our f5 is acting as idP. When I go to the SP initiated link it does not work. I get a page cannot be displayed. I can see in fiddler it's adding - ?binding=urn:oasis:names:tc:S...
BIG-IP Access Policy Manager (APM)
security
youssef1's avatar
youssef1
Icon for Cumulonimbus rankCumulonimbus
Sep 11, 2018

Hi,

You have to check 2 things, so it's a good thing that you use Fiddler.

Capture saml request using fiddler then decode the saml request using this link:

https://www.samltool.com/decode.php

Then checked the following point in your saml request (decode):

  • saml issuer

It will be your SP entity ID that you set in your external SP

  • ACS: saml AssertionConsumerServiceURL

AssertionConsumerServiceURL="It will be ACS URL that you set on your external SP"

if that's not the case you have to change the settings of your external sp on F5, for addapter. Sometimes you retrieve metadata of an external app and app owner change them without provide you the new info...

Hope it's clear. keep me update.

regards