For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Gabriel_V_13146's avatar
Gabriel_V_13146
Icon for Cirrus rankCirrus
Mar 04, 2014

F5 APM SAMLResponse - invalid XML

Hello all, trying to use the F5 APM as a SAML IdP, so far testing with simpleSAMLphp as a SP. Apparently I have something misconfigured (that happens). The problem is with the SAMLResponse we get back from the F5 APM. Using AWS instance BIG-IP 11.4.1 Build 635.14 Engineering Hotfix HF2 

SAMLResponse=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48P3htbCB2ZXJzaW9uPSIxLjAiIGVuY29kaW5nPSJVVEYtOCI%2FPjxzYW1sMnA6UmVzcG9uc2UgSUQ9Il9lMDRkODgyNzRmZjYyOTIwZjQ2NmM4ZDJhMTk1ZjU2OWE1ODNkOCIgSW5SZXNwb25zZVRvPSJfMjVkN2U4OGI1ZjBiYjljNmNjMWZlYTE5ZWZhMGVhYzYzMTA4MTIxYzc3IiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDMtMDRUMTQ6NTc6MDdaIiBEZXN0aW5hdGlvbj0iaHR0cDovLzU0LjcyLjUzLjEzNS9zaW1wbGVzYW1sL21vZHVsZS5waHAvc2FtbC9zcC9zYW1sMi1hY3MucGhwL2RlZmF1bHQtc3AiIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBWZXJzaW9uPSIyLjAiPiA8c2FtbDI6SXNzdWVyIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwOi8vNTQuNzIuNTguMjM5PC9zYW1sMjpJc3N1ZXI%2BPHNhbWwycDpTdGF0dXM%2BPHNhbWwycDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOkludmFsaWROYW1lSURQb2xpY3kiIC8%2BPC9zYW1sMnA6U3RhdHVzPjwvc2FtbDJwOlJlc3BvbnNlPg%3D%3D&RelayState=http%3A%2F%2F54.72.53.135%2Fsimplesaml%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Ddefault-sp

decoded XML states:



 http://54.72.58.239

The double XML declaration is illegal, so the response cannot be parsed. Question: does it behave correctly when the subject is authenticated?

Best regards

Gabriel
BIG-IP Access Policy Manager (APM)
security

4 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Mar 04, 2014

    I think the issue is actually that your SAMLRequest is sending an invalid NameIDPolicy. SimpleSAMLPHP sends by default, I believe, a "transient" NameIDPolicy. So in your APM Local IdP Services config, in the Assertion Settings section, make sure the Assertion Subject Type is set to "Transient Identifier".

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Mar 05, 2014

    What I'd like to report is, that the reply XML in case of the exception is invalid..

     

    Invalid in the sense that SimpleSAMLPHP doesn't accept the SAMLResponse? In that case, the SAMLResponse you've provided indicates a response from the IdP that the SAMLRequest contains an invalid NameIDPolicy. In other words, this SAMLResponse is an error response.

     

    Have you changed the IdP's assertion subject type? And if so, do you get a different error?

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Mar 05, 2014

    I see what you mean now, and that is strange indeed. I've verified the same behavior in 11.5, although it only appears to exist with an error response. A valid (non-error) SAMLResponse only has one XML declaration.