For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Rabbit23_116296's avatar
Rabbit23_116296
Icon for Nimbostratus rankNimbostratus
Dec 04, 2013

F5 SAML Dropbox

   **
   Hi

   It seems that my SAML assertion is not leaving the Big IP and looking at the debug log it looks like it is unable to interpret the authn encoded request. I have also attached the metadata from the service provider and my identity provider.
   Anyone have an idea?


   **



    Dec  4 09:28:23 tmm3 debug tmm3: 014d0002:7: 6299630d: SSOv2 SAML configuration: SAML_RES=&SAML_RES_LIST=&SAML_SSO=/Common/saml_idp
Dec  4 09:28:23 tmm3 debug tmm3: 014d0002:7: 6299630d: SSOv2 GET Request, Authn Request uri: /saml/idp/profile/redirectorpost/sso?SAMLRequest=fVFNT8JAEP0rzd7pByDChjapECMJagPVgxczdAfYZLtbd7YW%2F72l1QQPcpuPN%2B%2FNm5kTlKriae2OeoMfNZLzTqXSxLtGzGqruQGSxDWUSNwVfJs%2BrvnQD3lljTOFUczLfqI7qYXUh%2Btjux5E%2FCHPs0H2vM2Z94qWpNExawHMWxHVuNLkQLu2FEajQTQchOM8nPLhLR%2FN3lrMMmZSDCDc725AYIgI4%2F1kBuMohJkQkZhCMYIJ81IitK4lXxhNdYl2i%2FZTFviyWcfs6FxFPAiapvGFNdXOnPzClMHZ%2FbsyB6lZMj8nvNvJXhznukn4VWXJsuedBxc8PWnFn9rB1TIzShZfXqqUaRYWwWHMnK2ReffGluD%2Bl4r8qKu0l9h3UI4lSJUKYZGIBUmv%2BvfDyTc%3D&RelayState=eyJwcm92aWRlcl91cmwiOiAiaHR0cHM6Ly9zYW1sLmJvb2tpbmcuY29tL3NhbWwvaWRwL3Byb2ZpbGUvcmVkaXJlY3RvcnBvc3Qvc3NvIiwgImFyZ3MiOiB7InJlbWVtYmVyX21lIjogZmFsc2UsICJleHBlY3RlZF9lbWFpbCI6ICJqb2UuZnJhemllckBib29raW5nLmNvbSIsICJjb250IjogIi8iLCAibXVsdGlfYWNjb3VudCI6IGZhbHNlfSwgImtleSI6ICJ3ZWJfbG9naW4iLCAic2Vzc2lvbl90b2tlbiI6ICJBQUQ0OXRaTjR2dmpZVUcyY3ZYc0k3bElSeTV4V0ROemI1bWxaV1kzV0hDeVdRIn0%3D
Dec  4 09:28:23 tmm3 debug tmm3: 014d0002:7: 6299630d: SSOv2 Authn Request size: 430
Dec  4 09:28:23 tmm3 debug tmm3: 014d0002:7: 6299630d: SSOv2 Base64 decoded Authn Request size: 302
Dec  4 09:28:23 tmm3 debug tmm3: 014d0002:7: 6299630d: SSOv2 SAML_ACS_BINDING: (46) urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Dec  4 09:28:23 tmm3 debug tmm3: 014d0002:7: 6299630d: SSOv2 SAML_VERSION: (3) 2.0
Dec  4 09:28:23 tmm3 debug tmm3: 014d0002:7: 6299630d: SSOv2 ISSUE_INSTANT: (20) 2013-12-04T08:27:39Z
Dec  4 09:28:23 tmm3 debug tmm3: 014d0002:7: 6299630d: SSOv2 REQ_ID: (35) id-a0fb5ade0eea4f69a410a9dd1d8ac3a6
Dec  4 09:28:23 tmm3 debug tmm3: 014d0002:7: 6299630d: SSOv2 ACS_URL: (34) https://www.dropbox.com/saml_login
Dec  4 09:28:23 tmm3 debug tmm3: 014d0002:7: 6299630d: SSOv2 ISSUER: (7) Dropbox
Dec  4 09:28:23 tmm3 debug tmm3: 014d0002:7: 6299630d: SSOv2 NAME_ID_FORMAT: (54) urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Dec  4 09:28:23 tmm3 err tmm3: 014d0002:3: 6299630d: SSOv2 Error: No SP Connector attached to SAML SSO (/Common/saml_idp) matching authentication request. If ACS URL is present in authentication request it should match ACS URL from SP Connector. If Issuer is present in authentication request it should match entity_id from SP Connector.
Dec  4 09:28:23 tmm3 err tmm3: 014d0002:3: 6299630d: SSOv2 Error(16) Unable to find SAML SSO/SP Connector  object matching SAML Authn Request

IsP metadata:




urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Idp metadata:
   
- 
- 
- 
- 
- 
  removed 
  
  
  
  urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress
BIG-IP Access Policy Manager (APM)
saml
security

13 Replies

Show More
  • travis99_94012's avatar
    travis99_94012
    Icon for Cirrus rankCirrus
    Dec 05, 2013

    We're running 11.4.1. I would try giving access to a webtop and the SAML resource in the access policy. Also, I would try going to dropbox.com and signing in to make sure it's not the URL you're using (you should have a custom URL from dropbox). Just input your email address without a password and when you click login it should redirect you to your F5 page.