Forum Discussion
CirrocumulusInvalid nonce error messages with mobile devices and F5 as SAML SP/IDP
CirrusHey Marvin, can you test going to a webtop in the rule? Then clicking on the configured SAML app?
CirrocumulusHi Shawn, We don't use webtops at all on F5, all is SP initiated going to F5 IDP or just plain HTTP going directly to F5 configured as the SP itself. Why do you mention this, could you give me some more background information please?
- Marvin
For this policy the first step is SAML auth to F5 SP which connects to external IDP connector on the F5.
- Shawn_Conway
was just thinking of trying it for troubleshooting to see if the F5 idp is working properly on device using a browser. we are doing same thing with our apps you can go directly to them or to a webtop (mainly for me for testing). but we are on version 14.0.0.5 and do not have an issue, but on 13.1 it was working as well so could be a new update on devices? i am going to 15.1 end of month to stay in supported version.
- Marvin
it seems that the F5 SP wants to perform the SAML auth to the external IDP connector (where the client already had an active session) but this is never executed and the F5 APM (SP) directly responds with this error message, this is so weird behavior.
- Marvin
So the first request coming from the client is / and is does not provide any cookie, then in the response from F5 I receive the cookie for session d60b31cc all good, now the client send the next request to /my.policy with this MRH cookie which is still good. Then I see a subsequent request coming from the client again to /my.policy and results in this invalid nonce error.
