How can I config BIGIP APM skip ACS URL checking ?

To clarify, you had a working SAML Federation with Salesforce as the IdP and APM as the SP, and are trying to migrate to a different IdP?

No, I integrated salesforce(SP) with BIG-IP APM as IDP. And I want the APM send saml response to our system instead of Salesforce, that is why I changed the ACS URL in SP connector to my system.

Hi,

it's not the right way to ignore the validation of acs, besides, you can not ignore it or bypass this protection.

but you can solve your problem very easily, I explain myself. So if you have this problem, it means that the ACS contained in the request (SAML Request) are different from those configured in your external sp.

I often have this problem the application owners give us wrong information and it is up to us to solve the problem :-).

Follow my procedure:

• Capture saml request (F12 developer tools using chrome or saml tracer using Firefox or fiddler...)

SP post saml request on the following URL: https://idp.domain.com/saml/idp/profile/redirectorpost/sso

• Once you capture the saml request decode IT
• First decode url

https://meyerweb.com/eric/tools/dencoder/

• Then saml decoder (b64 decoder)

https://www.samltool.com/decode.php

Just be carreful to one point you have to retrieve only SAML request (you have to not include "SAMLRequest: " ) when you want to decode saml request.

SO once you decoded saml request you can See ACS provide by SP. Take it an set it on your external SP...

The job is done :-)

keep me in touch

regards