Forum Discussion

Altostratus

Aug 18, 2016

How best to achieve SSO between APM policies of different types (portal and ltm+apm)?

We provide external access to a number of internal resources via APM in BIGIP (11.6.0). Some of these resources can only be presented to external users via webtop-based portal access whilst others on...

BIG-IP Access Policy Manager (APM)

Altostratus

Aug 25, 2016

Thanks again Evan,

I have double-checked the advanced assignment step within the IdP policy and application specific SAML resources are definitely being assigned. However APM still insists that a "Webtop configuration is required" and same error is being logged "Logon denied due to validation error, Error Code: 3000 (No Webtop)"

I'm beginning to think that it is a version specific issue. The 11.6.0 documentation differs from the 12.1.0 documentation that you linked.

In 11.6.0 the relevant SAML instructions state:

https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/28.htmlconceptid

Configuration requirements to support IdP- and SP-initiated connections
... 
  An access policy that:
    Performs authentication
    Assigns SAML resources and full webtop

However the stipulation for a 'full webtop' assignment does not appear in the 12.1.0 documentation. I am going to try an lab this on 12.1.0 to see whether I have any more success.

Thanks again for your guidance,

Barny

Evan_Champion_1

Cirrus

Aug 26, 2016

That could be it -- we are using 12.1.0. I would recommend 12.1.0 HF1 for other reasons anyway, as it fixed some of the bugs I found with SAML. HF1 fixes a further regression in 12.1.0 where a user going to

https://yourserver/path/to/content

ends up redirected back to

https://yourserver/

after authentication and not

https://yourserver/path/to/content

. This can be worked around but given you are upgrading you are better to go to HF1.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

How best to achieve SSO between APM policies of different types (portal and ltm+apm)?

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Checking for X-Forwarded-For against an Address Data-Group

SSL Bridging and FQDN rewrite Policy

Cisco TACACS+ Config on ISE LTM Pair

iRule causing requests to be duplicated (sometimes)

How can I get started with iCall

Related Content

Different policies same destination and pool

LTM Policy

iControl REST Cookbook - LTM policy (ltm policy)

LTM policy to route traffic to different pools

Using BIG-IQ to Determine Differences Between Advanced WAF Policies

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS