For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dp_119903's avatar
dp_119903
Icon for Cirrostratus rankCirrostratus
Jun 02, 2016

Is there an APM SAML error legend or documentation?

We are using APM and have our F5's setup as SAML SP's for a number of sites. In the past we bypassed the access policy if the users were sourcing their request from within our IP space (trusted sour...
application delivery
BIG-IP Access Policy Manager (APM)
security
svs's avatar
svs
Icon for Cirrostratus rankCirrostratus
Feb 05, 2025

The log message is not documented in 

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/log-messages.html!

 

I've ran into this issue today and came across this article. I found the message 

SAML assertion is invalid, error: Invalid Session, possible use of different host names to access SAML SP

as reason for my issue. The reason for this issue is very simple: SameSite settings in APM access profile.

In my case, SameSite was enabled and set to strict in my access profile (default in APM 17.1+). This caused the browser to stop sending the MRHSession cookie to the APM when I were redirected back from the IDP to the APM (with the assertion). A new session was created, indicated by 

New session from client IP x.x.x.x

messages in the log. Once again the behavior of the BIG-IP/APM is not very helpful to discover the real issue. On the other hand, the APM is not able to discover, that this is a recurring client, if the session cookie is not sent...at the end it's SameSite and the browser. 😒