Forum Discussion

raZorTT's avatar
raZorTT
Icon for Cirrostratus rankCirrostratus
Mar 03, 2014

I have made some progress in the last day or two. I'm now able to see the SAML token being validated and the content pulled out and stored in session variables. We stripped the details being sent through to the bare minimum and it now validates.

 

However something else appears to be going wrong with the access profile. I'm currently getting the F5 logout pages with a "Invalid Session ID. Your session may have expired." error.

 

I added an iRule and put in a few outputs at various events. After the policy has completed and the next request starts, the access_session_started event is triggered and a new sessionID is created.

 

Mar 3 13:02:34 F5-int info tmm[8568]: Rule /Common/DSS_SAML_assertion : HTTP_REQUEST - sid:

 

Mar 3 13:02:34 F5-int info tmm[8568]: Rule /Common/DSS_SAML_ASSERTION : user -

 

Mar 3 13:02:34 F5-int info tmm[8568]: Rule /Common/DSS_SAML_ASSERTION : ACCESS_SESSION_STARTED - sid:c7016934

 

Mar 3 13:02:34 F5-int info tmm1[8568]: Rule /Common/DSS_SAML_ASSERTION : HTTP_REQUEST - sid:c7016934

 

Mar 3 13:02:34 F5-int info tmm1[8568]: Rule /Common/DSS_SAML_ASSERTION : user -

 

Mar 3 13:02:49 F5-int info tmm[8568]: Rule /Common/DSS_SAML_ASSERTION : ACCESS_POLICY_COMPLETED - sid:c7016934

 

Mar 3 13:02:49 F5-int info tmm[8568]: Rule /Common/DSS_SAML_ASSERTION : user - MG0028@production.local

 

Mar 3 13:02:49 F5-int info tmm[8568]: Rule /Common/DSS_SAML_ASSERTION : result - allow

 

Mar 3 13:02:49 F5-int info tmm1[8568]: Rule /Common/DSS_SAML_ASSERTION : HTTP_REQUEST - sid:c7016934

 

Mar 3 13:02:49 F5-int info tmm1[8568]: Rule /Common/DSS_SAML_ASSERTION : user - MG0028@production.local

 

Mar 3 13:02:49 F5-int info tmm1[8568]: Rule /Common/DSS_SAML_ASSERTION : ACCESS_SESSION_STARTED - sid:293dacc4

 

Why would the APM need to trigger the access_session_started event when it already has a sessionID?

 

Could there be something in my virtual server settings causing it? I set up an LDAP auth just to test and once it authenticates it maintains the same session and I am able to access the application.

 

Thanks