Forum Discussion
Is there an APM SAML error legend or documentation?
We are using APM and have our F5's setup as SAML SP's for a number of sites. In the past we bypassed the access policy if the users were sourcing their request from within our IP space (trusted source), however we just recently changed this so now no matter what users are redirected to the IDP and then back into the resource. While this is working well for the vast majority I'm getting little complaints here and there for users accessing a specific site. When I look into the error message all it says is:
"SAML assertion is invalid, error: Invalid Session, possible use of different host names to access SAML SP"
It's strange b/c this appears to be working for thousands of users, but for the ten or so that it's not they are all getting the same error. They are sourcing from different destinations and have no common denominator other than the error message that they are getting. I can't replicate the issue so I was hoping that there was some sort of legend or document that would elaborate on the error message above so that I could try and identify what is causing this.
Thanks.
- I am very interested in this as well but for a different reason -- I would like to get a reference to the syslog messages so I can get my SIEM to understand APM.
- Edouard
Cirrus
Greetings, were you able to get a fix for this problem ?.
Thanks,
- Abdessamad1
Cirrostratus
I saw this error log sometimes, but didn't find any relevant explanation.
Anyone was able to find something useful?
Thanks
- PSilvaRet. Employee
Hi - This might help. It's the Log Messages Reference Document:
https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/log-messages.html
I did a page search for 'SAML assertion' and a couple appeared similar to your error message.
- svs
Cirrostratus
The log message is not documented in
https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/log-messages.html!
I've ran into this issue today and came across this article. I found the message
SAML assertion is invalid, error: Invalid Session, possible use of different host names to access SAML SP
as reason for my issue. The reason for this issue is very simple: SameSite settings in APM access profile.
In my case, SameSite was enabled and set to strict in my access profile (default in APM 17.1+). This caused the browser to stop sending the MRHSession cookie to the APM when I were redirected back from the IDP to the APM (with the assertion). A new session was created, indicated by
New session from client IP x.x.x.x
messages in the log. Once again the behavior of the BIG-IP/APM is not very helpful to discover the real issue. On the other hand, the APM is not able to discover, that this is a recurring client, if the session cookie is not sent...at the end it's SameSite and the browser. 😒
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com