Forum Discussion

dp_119903's avatar
dp_119903
Icon for Cirrostratus rankCirrostratus
Jun 02, 2016

Is there an APM SAML error legend or documentation?

We are using APM and have our F5's setup as SAML SP's for a number of sites. In the past we bypassed the access policy if the users were sourcing their request from within our IP space (trusted source), however we just recently changed this so now no matter what users are redirected to the IDP and then back into the resource. While this is working well for the vast majority I'm getting little complaints here and there for users accessing a specific site. When I look into the error message all it says is:

 

"SAML assertion is invalid, error: Invalid Session, possible use of different host names to access SAML SP"

 

It's strange b/c this appears to be working for thousands of users, but for the ten or so that it's not they are all getting the same error. They are sourcing from different destinations and have no common denominator other than the error message that they are getting. I can't replicate the issue so I was hoping that there was some sort of legend or document that would elaborate on the error message above so that I could try and identify what is causing this.

 

Thanks.

 

  • I am very interested in this as well but for a different reason -- I would like to get a reference to the syslog messages so I can get my SIEM to understand APM.
  • Greetings, were you able to get a fix for this problem ?.

     

    Thanks,

  • I saw this error log sometimes, but didn't find any relevant explanation.

    Anyone was able to find something useful?

    Thanks

  • PSilva's avatar
    PSilva
    Ret. Employee

    Hi - This might help. It's the Log Messages Reference Document:

    https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/log-messages.html

     

    I did a page search for 'SAML assertion' and a couple appeared similar to your error message.

  • svs's avatar
    svs
    Icon for Cirrostratus rankCirrostratus

    The log message is not documented in 

    https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/log-messages.html!

     

    I've ran into this issue today and came across this article. I found the message 

    SAML assertion is invalid, error: Invalid Session, possible use of different host names to access SAML SP

    as reason for my issue. The reason for this issue is very simple: SameSite settings in APM access profile.

    In my case, SameSite was enabled and set to strict in my access profile (default in APM 17.1+). This caused the browser to stop sending the MRHSession cookie to the APM when I were redirected back from the IDP to the APM (with the assertion). A new session was created, indicated by 

    New session from client IP x.x.x.x

    messages in the log. Once again the behavior of the BIG-IP/APM is not very helpful to discover the real issue. On the other hand, the APM is not able to discover, that this is a recurring client, if the session cookie is not sent...at the end it's SameSite and the browser. 😒