Forum Discussion

sgelmi_263595's avatar
sgelmi_263595
Icon for Nimbostratus rankNimbostratus
Oct 06, 2017

[SAML] APM as SP with ADFS as IdP, Assertion info not found

Hi, i've configured an APM as SP (TMOS v12.1.2 HF1) and i use an external IdP (ADFS). The configuration is correct, i've follow the manual Using APM as a SAML Service Provider

After configured the SP and imported the metadata from IdP, i've exported the metadata and imported into ADFS.

If i try to authenticate, i the POST to ADFS and the POST to APM but, after this post i receive an error and my access policy terminate with DENY.

If i see the logs on APM, i see only this error:

Oct  6 11:14:34 BIG-IP-F5-1 debug apmd[22385]: 01490000:7: modules/Authentication/Saml/SamlSPAgent.cpp func: "SamlSPAgentexecuteInstance()" line: 1115 Msg: Matched idp connector name: /Common/my_IDP
Oct  6 11:14:34 BIG-IP-F5-1 debug apmd[22385]: 01490000:7: modules/Authentication/Saml/SamlSPAgent.cpp func: "SamlSPAgentexecuteInstance()" line: 1116 Msg: Doing SAML SP Initiated Auth: /
Oct  6 11:14:34 BIG-IP-F5-1 debug apmd[22385]: 01490000:7: ./AccessPolicyProcessor/SessionState.h func: "clearTempSessionAgentState()" line: 110 Msg: Agent did not initiated the scheduled agent
Oct  6 11:14:34 BIG-IP-F5-1 debug apmd[22385]: 01490000:7: AccessPolicyProcessor/AccessPolicy.cpp func: "execute()" line: 532 Msg: Let's evaluate rules, total number of rules for this action=2
Oct  6 11:14:34 BIG-IP-F5-1 debug apmd[22385]: 01490000:7: AccessPolicyProcessor/AccessPolicy.cpp func: "execute()" line: 538 Msg: Rule to evaluate = "expr {[mcget {session.saml.last.result}] == 1}"
Oct  6 11:14:34 BIG-IP-F5-1 debug apmd[22385]: 01490000:7: AccessPolicyProcessor/AccessPolicy.cpp func: "execute()" line: 538 Msg: Rule to evaluate = ""
Oct  6 11:14:34 BIG-IP-F5-1 err apmd[22385]: 0149020f:3: /Common/WebAPP:Common:83748128: SAML Agent: /Common/WebAPP_act_saml_auth_ag cannot find assertion information in SAML request

The SSO and APMD log var is set to DEBUG.

i have the trace taken by SAML TRACKER (FF plugin) and seems corrects (correct entity ID, correct Assertion, Correct cert used for signing, ecc..)

The only thing that i see different from the "web example" is the missing prefix in XML Tags:


...
        
        
            
                https://***
            
        
        
            
                ***
            
        
.....

In examples, i've always seen the prefix saml:

How can i do to troubleshoot better this issue? Is necessary the prefix in SAML Response?

Any response will be greatly appreciated.

Thanks, Regards, S

adfs
application delivery
BIG-IP Access Policy Manager (APM)
saml
security
No RepliesBe the first to reply