Forum Discussion
NimbostratusIssue with double encoded redirect URI
Have the following configured to talk to SAML IdP using BIG-IP as SP. Version BIG-IP 12.1.0 Build 1.0.1447 Hotfix HF1
apm aaa saml-idp-connector DSLOGON-PORTAL-IDP-CONNECTOR {
artifact-resolution-service-addr 214.3.119.43
artifact-resolution-service-port https
artifact-resolution-service-url https://pkictws.dmdc.osd.mil/opensso/ArtifactResolver/metaAlias/authorization
basic-auth-password $M$cT$FZWwCRcHK+SLrSWAZM5qE6PI0+Jpy2NYVvo0eTm9tbI=
basic-auth-username admin
description "Connector for portal"
entity-id https://portal.sfl-tap.army.mil
idp-certificate my-test-dmdc.crt
serverssl-profile-name dmdc-serverssl
sign-artifact-resolution-rq true
signature-type rsa-sha256
sso-binding http-redirect
sso-uri https://webct2.dmdc.osd.mil/identitymanagement/authenticate.do\?gotoUrl=https%3a%2f%2fwebct2.dmdc.osd.mil%2fopensso%2fidpssoinit%3fmetaAlias%3d%2fauthorization%26spEntityID%3dhttps%3a%2f%2fportal.sfl-tap.army.mil%26binding%3durn%3aoasis%3anames%3atc%3aSAML%3a2.0%3abindings%3aHTTP-Artifact
want-authn-request-signed true
want-detached-signature true
}
The client navigates to the landing uri '/' and is supposed to redirected to the sso-uri defined above. The issue is that the double-encoded part of the sso-uri is getting unwrapped before it gets sent to the IdP. The redirect is supposed to end up at a skinned page but it gets sent to a default page instead...
/identitymanagement/authenticate.do?gotoUrl=https://webct2.dmdc.osd.mil/opensso/idpssoinit?metaAlias=/authorization&spEntityID=https://portal.sfl-tap.army.mil&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact?SAMLRequest=hVNdb9MwFP0rkaU%2BNl8NWWY1RWEFUWlAtXY88IJuHaez5NjB12F0v54bdxObBEOK%2FHXvPff4%2BGSJ0OuBN6O%2FMzfyxyjRR796bZCHQM1GZ7gFVMgN9BK5F3zXfLrmeZzywVlvhdUsahCl88qaK2tw7KXbSfdTCXl7c12zO%2B8H5EkyWOdBx9jpuYchBtef4l7pZOqU4JAQXKe0pDz0CQhk0ZroKAMT8B%2BYe3kQPo%2FbvhWxxTZAqFYar%2FypBwNH2dMmAbrSdCjAy7i1b4%2FE9dbpOsDMFjDLO%2Fr%2BAkandpAG0dJKtQMtlFF%2Btuh66aHRCqi8pdjUwTr1EPjN8hKH94HEZk3xl23%2BcXUqOijTKnOkClKa8oPWNAe1afaChklxmkhzGh8rpuDH%2FX47b0j4DoRn0WZds%2B9VlaYllFnVFR3kWS66i7IoLrvqQJsqX5TFmwvIKBlxlBuDHoyvWZ5m5Tyt5ot0n13yvOBZGadp%2Fo1FH6wTMvijZh1olCzaPr77uzOT103yRJcHstsvuz2LvkqH4U0pga2WkwF44OOeme91WHhyHFv9z1%2FL5FmDc7eBfybEzXprtRKnqNHa3l85SVapmXejZMnqXPXy11j9Bg%3D%3D&RelayState=%2F&SigAlg=http%3A%2F%2Fwww%2Ew3%2Eorg%2F2001%2F04%2Fxmldsig%2Dmore%23rsa%2Dsha256&Signature=QMGEY9HEqipChAXXYMYIAN%2FtwGCoib7izahVcflUv0qRoDX3ey0VKKLNkb8dFQ%2BSd%2FEzVUhkaqVa2aIYLR1Q9ZbkNLwCFcJ58dgfcMLmvFDqiYR9zaktbEMo%2BBMswQ7ZQrE14g%2Frhb%2B25XVMZlOMQRJGIQSMaY9vP0wUEGONTz6YAvc2GJqbqV9lslaftznsVfqhfDWJHGhW5YemHVoMjZzOHnJHomhl6Wdqr%2BJC%2B3HMR5YC9ab4eiCtbv5jcQ8uF03tsHOiKYAfY1i9JF8T%2BxU2vdIXBCxXypgYuPik3EzX2X1vIFdmwsbOHk8vU1BVp4tjf7Xossy5Qify%2BRkF6w%3D%3D
The SAML request is not causing the issue. We've tested that.
I have tried several different ways of entering this with no luck. If I paste in the same redirect to a IE 11 browser it all works fine.
Any advice is appreciated. I am somewhat new to APM and I am stuck.
Michael Harpe michael.e.harpe.civ@mail.mil
4 Replies
The way you're posting the data is kind of confusing, could you adjust / fix it? I assume the end user is probably browsing to APM SP, then there is something wrong with the SAML Authentication Request OR the redirect URI issued by APM SP. Could you:
1- Let us know what the client's URI or AuthN currently is. This is the undesired behavior. 2- Let us know what you would like the client's URI or AuthN to be. This is the desired behavior.
Mike_Harpe_6170The issue is that when the F5 sends the Single sign on redirect the double encoded part of the URI is being unwrapped and that's causing problems at the IdP.
I managed to clean up the posting some. I hope that helps.
- Henrik_S
Decoding the second URI and comparing, it seems that there is some kind of interfering device on the network path, I guess Cisco AMP?:)
- Mike_Harpe_6170
Don't think so. I don't know of anything in our stack that would do that. Are we sure the APM software isn't doing it for some reason?
