Forum Discussion

Altostratus

Apr 23, 2021

Problems with BigIP/APM as Identity Provider for SAML2

Problem One: I've configured my BiIP/APM as Identity Provider for SAML SSO (SP-Inited SSO) integration with our partner(Service Provider). When the counterpart Service Provider POST (by default, ...

BIG-IP Access Policy Manager (APM)

LTM

security

Nikoolayy1

MVP

Apr 23, 2021

For the second issue you may be having the bug in article https://support.f5.com/csp/article/K13423312 , so check /var/log/apm (maybe enable some debug logging to see more info https://support.f5.com/csp/article/K45423041 / https://support.f5.com/csp/article/K41437771):

For the first issue maybe your artifact is not configured with POST and for F5 is normal to use POST for assertion and to switch to GET for the artifact.

%%%%%%%%%

Request method is changed to POST for assertion and to POST/GET for artifact based on the matched assertion consuming:

%%%%%%%%%

https://support.f5.com/csp/article/K06743491

You may try to manually set URL where the IdP can send an assertion to this service provider

&&&&&&&&&&&&&&&&&&&&&

Click Add.A new row displays in the table.
In the Index field, type the index number, zero (0) or greater.
If this is the default service, select the Default check box. You must specify one of the services as the default.
In the Location URL field, type the URL where the IdP can send an assertion to this service provider.APM supports HTTP-Artifact binding, POAS (HTTP reverse SOAP) binding, and HTTP-POST binding to this service.
From the Binding list, select Artifact, PAOS, or POST.
Click Update.

&&&&&&&&&&&&&&&&

https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-12-1-0/29.html

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)