Forum Discussion
NimbostratusSAML - LTM in front of SP
Hi Moeter
An approch would be to use SAML inline SSO check this https://techdocs.f5.com/en-us/bigip-16-0-0/big-ip-access-policy-manager-saml-configuration/config-apm-as-saml-idp-inline-sso.htmlBut It you want a simpler approach you could just create a Virtual Server for the SP itslelf
In this case just pointing ACS to Virtual Server IP would be enough. But dependign on the application itslef you might also need some persistence.If you want to have both IDP and SP under same Virtual Server you will have to disable Access Policy dor SP fqdn with some irule
The easiest way to troublshoot SAML asserions for me is though Browser plugin lik SAML-tracer plus logging on f5 itself.
Having a VS in front of SP should work. So I assume something is not configured correctly.
For inline sso yes you will not see saml between f5 and server through browser.
MoeterI'm not sure what could be wrong with a "simple" LTM VS in front. Loadbalancing is already working.
Nevertheless, i will have the chance to do more testing in a couple of days, and keep you posted about the results :)
Check the persistence or test with only one pool member.
Also check that saml config is correct. I mean at Sam point you mention of changing the acs but you don't really need to change acs. You have to point dns record of acs to f5
- Moeter
Sometimes, you can't see the forrest for the trees...
Did some more testing, and for sure, persistence was missing.
Many thanks!!
