F5 SAML Dropbox

seems I cannot get the format right to post on the site!

Seems I am getting further and now it is failing to sign the assertion with my my private key. I have tried multiple certificates for this and they are valid:

Dec  4 12:21:48 tmm3 debug tmm3: 014d0002:7: e25557de: SSOv2 Authn Request size: 428
Dec  4 12:21:48 tmm3 debug tmm3: 014d0002:7: e25557de: SSOv2 Base64 decoded Authn Request size: 303
Dec  4 12:21:48 tmm3 debug tmm3: 014d0002:7: e25557de: SSOv2 SAML_ACS_BINDING: (46) urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Dec  4 12:21:48 tmm3 debug tmm3: 014d0002:7: e25557de: SSOv2 SAML_VERSION: (3) 2.0
Dec  4 12:21:48 tmm3 debug tmm3: 014d0002:7: e25557de: SSOv2 ISSUE_INSTANT: (20) 2013-12-04T11:20:54Z
Dec  4 12:21:48 tmm3 debug tmm3: 014d0002:7: e25557de: SSOv2 REQ_ID: (35) id-92e1144c0c954034989a79dc13097338
Dec  4 12:21:48 tmm3 debug tmm3: 014d0002:7: e25557de: SSOv2 ACS_URL: (34) https://www.dropbox.com/saml_login
Dec  4 12:21:48 tmm3 debug tmm3: 014d0002:7: e25557de: SSOv2 ISSUER: (7) Dropbox
Dec  4 12:21:48 tmm3 debug tmm3: 014d0002:7: e25557de: SSOv2 NAME_ID_FORMAT: (54) urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Dec  4 12:21:48 tmm3 debug tmm3: 014d0002:7: e25557de: SSOv2 Using SSO config: /Common/saml_idp with SP Connector: /Common/Dropbox from ACCESS profile
Dec  4 12:21:48 tmm3 info tmm3: 014d0002:6: e25557de: SSOv2 Using SAML SSO object (/Common/saml_idp) with SP Connector (/Common/Dropbox)
Dec  4 12:21:48 tmm3 debug tmm3: 014d0002:7: e25557de: SSOv2 Authn Request Validation Status Message: urn:oasis:names:tc:SAML:2.0:status:Success
Dec  4 12:21:48 tmm3 debug tmm3: 014d0002:7: e25557de: SSOv2 Size of the Buffer needed for Assertion: 1674
Dec  4 12:21:48 tmm3 debug tmm3: 014d0002:7: e25557de: SSOv2 Assertion TimeStamp - Valid until: 2013-12-04T11:31:48Z
Dec  4 12:21:48 tmm3 debug tmm3: 014d0002:7: e25557de: SSOv2 Canonicalized Assertion SignedInfo size: 826
Dec  4 12:21:48 tmm3 debug tmm3: 014d0002:7: e25557de: SSOv2 Signing Assertion with 2048-bit IDP RSA key: /Common/booking-saml-key.key
Dec  4 12:21:48 tmm3 err tmm3: 014d0002:3: e25557de: SSOv2 Error creating signed SAML Assertion - RSA signing failed
Dec  4 12:21:48 tmm3 err tmm3: 014d0002:3: e25557de: SSOv2 Error(10) Creating Signed SAML Assertion
Dec  4 12:21:48 tmm3 err tmm3: 014d0002:3: SSOv2 plugin error(10) in sso/sso.c:427

Also in dropbox you will need to direct it to: https://yourdomain/saml/idp/profile/redirectorpost/sso

I should read your logs first :), "Error: No SP Connector attached to SAML SSO (/Common/saml_idp) matching authentication request."

Have you setup the SP connector? And if so you need to bind it to your IDP connector.


hey travis - I actually got past the initial signing assertion bit by not signing the assertion and now I believe it is down to getting the email address in the assertion iteself.

I tried to create a custom session variable step in the VPE but when doing a sessiondump -allkeys I see this: be15ff51.session.ad.last.attr.mail 0

Did you have to create a custom session variable (we use active directory also btw).

Thanks

what an awesome tool :) thanks will get on it

Ok so my session is now pulling the mail attribute and that seems working a treat. I get redirected to dropbox after successfully logging on but it cannot validate my assertion. On the external SP connector I have set: 

When I enable assertion sent to SP by this device must be signed (as required by Dropbox) then I fail to do so (I have tried 2 different certs already):

Dec  4 18:33:18 tmm2 debug tmm2: 014d0002:7: d9f1431c: SSOv2 Authn Request size: 436
Dec  4 18:33:18 tmm2 debug tmm2: 014d0002:7: d9f1431c: SSOv2 Base64 decoded Authn Request size: 304
Dec  4 18:33:18 tmm2 debug tmm2: 014d0002:7: d9f1431c: SSOv2 SAML_ACS_BINDING: (46) urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Dec  4 18:33:18 tmm2 debug tmm2: 014d0002:7: d9f1431c: SSOv2 SAML_VERSION: (3) 2.0
Dec  4 18:33:18 tmm2 debug tmm2: 014d0002:7: d9f1431c: SSOv2 ISSUE_INSTANT: (20) 2013-12-04T17:31:48Z
Dec  4 18:33:18 tmm2 debug tmm2: 014d0002:7: d9f1431c: SSOv2 REQ_ID: (35) id-944d986372914c4b92247d5bb4ec7836
Dec  4 18:33:18 tmm2 debug tmm2: 014d0002:7: d9f1431c: SSOv2 ACS_URL: (34) https://www.dropbox.com/saml_login
Dec  4 18:33:18 tmm2 debug tmm2: 014d0002:7: d9f1431c: SSOv2 ISSUER: (7) Dropbox
Dec  4 18:33:18 tmm2 debug tmm2: 014d0002:7: d9f1431c: SSOv2 NAME_ID_FORMAT: (54) urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddres                                                                                s
Dec  4 18:33:18 tmm2 debug tmm2: 014d0002:7: d9f1431c: SSOv2 Using SSO config: /Common/saml_idp with SP Connector: /Common/Dropbox from                                                                                 ACCESS profile
Dec  4 18:33:18 tmm2 info tmm2: 014d0002:6: d9f1431c: SSOv2 Using SAML SSO object (/Common/saml_idp) with SP Connector (/Common/Dropbox                                                                                )
Dec  4 18:33:18 tmm2 debug tmm2: 014d0002:7: d9f1431c: SSOv2 Authn Request Validation Status Message: urn:oasis:names:tc:SAML:2.0:statu                                                                                s:Success
Dec  4 18:33:18 tmm2 debug tmm2: 014d0002:7: d9f1431c: SSOv2 Size of the Buffer needed for Assertion: 1689
Dec  4 18:33:18 tmm2 debug tmm2: 014d0002:7: d9f1431c: SSOv2 Assertion TimeStamp - Valid until: 2013-12-04T17:43:18Z
Dec  4 18:33:18 tmm2 debug tmm2: 014d0002:7: d9f1431c: SSOv2 Canonicalized Assertion SignedInfo size: 826
Dec  4 18:33:18 tmm2 debug tmm2: 014d0002:7: d9f1431c: SSOv2 Signing Assertion with 2048-bit IDP RSA key: /Common/booking-saml-key.key
Dec  4 18:33:18 tmm2 err tmm2: 014d0002:3: d9f1431c: SSOv2 Error creating signed SAML Assertion - RSA signing failed
Dec  4 18:33:18 tmm2 err tmm2: 014d0002:3: d9f1431c: SSOv2 Error(10) Creating Signed SAML Assertion
Dec  4 18:33:18 tmm2 err tmm2: 014d0002:3: SSOv2 plugin error(10) in sso/sso.c:427

The name of your image is too long for the system. I ran into that too. I have a cert within the IDP connector Security Settings but not the SP connector.

I don't know if it makes a difference but the entity ID for Dropbox should be 'dropbox' all lowercase. The entity ID I'm using for F5 is https://domain/idp/f5.

I would install SAML Tracer in Firefox and have that going when you attempt a login.

Hi

Appreciate your help so far. The certificate and key is only ever set on the IDP security settings.

Yes also trying different combinations of so many different x509 certificates and it just plain fails to sign the certificate - SSOv2 Error creating signed SAML Assertion - RSA signing failed

The key and cert modulus matches so the self signed certs are definitely ok!

still battling ahead...

Thanks I'm not using a webtop but initalising the SSO from https://www.dropbox.com/sso which 302's me to my local IDP, I authenticate and it is just failing on the signing my assertion bit as highlighted above.

Are you running 11.3 or a higher version of BIG IP?