Forum Discussion
NimbostratusF5 SAML WebEx
Has anyone successfully integrated F5 APM SAML2.0 as an IdP with Webex (SP)?
I'm getting the following errors and not I'm not sure how to diagnose:
Jan 30 15:37:55 edge2 err tmm[14237]: 014d0002:3: 7e63b70b: SSOv2 Error: No SP Connector attached to SAML SSO (/Common/idp_XXXXXXX) matching authentication request. If ACS URL is present in authentication request it should match ACS URL from SP Connector. If Issuer is present in authentication request it should match entity_id from SP Connector. Jan 30 15:37:55 edge2 err tmm[14237]: 014d0002:3: 7e63b70b: SSOv2 Error(16) Unable to find SAML SSO/SP Connector object matching SAML Authn Request
I have an External SP Connector defined. And it has been bound the the one, and only, Local IdP Service. This Local IdP Service is also bound to a EMC Syncplicity SSO which works just fine. So I'm stumped as to whether the issue is the the SAML External SP connector or the Webex SSO configuration for the IdP.
Any suggestions?
9 Replies
Michael_Koyfma1Cirrus
What does your config look like? Is your IDP config assigned as the SSO profile to the Access policy or in the VPE? Based on your description, it has to the former, as the same IDP config object cannot be currently used in the VPE as a SAML Resource if it has multiple SP connectors bound to it - so I would double-check your setup. I don't think this has anything to do with WebEx but rather with your APM setup.
Gilles_Archer_3Hi Michael,
The IDP SSO has two SAML SP Connectors (WebEx & Syncplicity). The IDP SSO is assigned to one access profile (VPE has Logon Page-->AD Auth-->AD Query) with no resource assignments.
I used the BIG-IP APM Authentication and SSO Manual- chapter 29 my guide. Our intention is to use this IDP to host multiple SP that utilize the same assertion (email address) method.
- Michael_Koyfma1
Sounds like you have it setup right. Did you double-check that everything matches? the URIs, all slashes, etc - SAML is very picky on matching things. One easy way to test is to "unbind" Syncplicity Connector and just try with WebEx - if it still fails, you know that something does not match in terms of metadata. Did you import metadata file from WebEx to create the SP connector?
- Gilles_Archer_3
I'm way ahead of you, Michael. I did try unbinding all SP connectors other than the WebEx connector. No luck. We exported the IdP and imported it into the WebEx SSO Configuration page. We exported the WebEx SP and imported into APM. It should be rather straight forward.
I've got a case open. All the data is being analysed so now it's just a waiting game.
Thanks again.
- Michael_Koyfma1It should be. Feel free to message me your case number, and I can take a look and see if I can offer up any advice
- Gilles_Archer_3I've got Kenny hard at work on C1758571. We're trying with just one SP Connector (Webex) now. The other (EMC Syncplicity) works just fine when it is bound.
- Michael_Koyfma1
Gilles - I looked over the data in the case - I believe you are likely running into bug id 432102. There is a bug that affects processing encoded RelayState parameters - and because WebEx appparently sends RelayState in the encoded way as opposed to plaintext, that is most likely the culprit here(and would explain why APM does not match ACS.
- Gilles_Archer_3
That was it - that trailing "/". Thanks for the help folks.
- Gilles_Archer_3
Hi Stefan,
I apologize for missing your comment. Are you still having this issue?
For the External SP Connector:
General Settings/SP Entity ID: http://www.webex.com Endpoint Settings/Assertion Consumer Service URL: https://XXXXXXXX.webex.com/dispatcher/SAML2AuthService?siteurl=XXXXXXXX Security Settings/Will be signed: No Security Settings/Assertion sent to SP by this device/Must be signed: Yes
The biggest thing we were missing was ensuring that the URLs matched 100% - no trailing "/".
