SAML artifact server - using redirect not post

Question

Hihad a working setup.login.test.com -&gt; SAML IDPAuth.test.com -&gt; OAuth server + SAML SP - to get a OAuth token you needed a SAML IDthis worked well until I realised some of the redirects where actually posts and you needed a function javascript engine to process them !I went about changing the ARS on the IDP to redirect with authentication and setup a ACS to talk to itso login -&gt; SAML IDP + SAML ARS (artifact server)auth -&gt; OAuth + SAML SP + SAML ACS (artifact comsumer service .. basically - my understanding it make an out of band call to login - so it doesn't go via the browser)all working good except for the ACS -&gt; ARS call. I can see the request making it to login, I have an irule to capture the post but the VS is terminating the link tcp rst.&nbsp;No logging in APM or LTM logs I have debug turned on for access profile and SSO doesn't help.&nbsp;Any one got it working ? Any one got any ideas on how to debug the next step&nbsp;&nbsp;&nbsp;

jrahm · Answer

hey&nbsp;AlexS_yb,&nbsp;any movement with support? I'm not sure I can help much here, but wanted to make sure I followed up. Keep us posted!

alexs_yb · Answer

Thanks for following up.I'm told its with engineering - they can reproduce. I am now just waiting for a work around or patch !Although its been a while

alexs_yb · Answer

Quick update - F5 tech support - nearly 5 days later - well its xmas. seems like I have run into a bug.

something about http vs https. want me to present the ARS via port 80 not port 443.

Tried it again nothing - the ARS kills the connection after recieveing it !

Still at a loss on how to debug or even verify that ARS is working properlu

scot_jc · Answer

Hi,
When it comes to troubleshooting, I'd record a packet trace aftere we enabled the TCP Reset causes:

tmsh modify sys db tm.rstcause.pkt value enabletmsh modify sys db tm.rstcause.log value enable

Hopefully, this should help (tell?) us why the ARS VS is reseting the connection.

alexs_yb · Answer

That looks very useful, got thisNo server selectedwhich is strange, working with F5 support team they reacon i have hit a bug - i had it attached to my https VS and had a ssl client profile. they suggested to create a new vs and add a pool. instead I attached my ars to my http VS. its almost like the VS doesn't recognise the call as a SAML.&nbsp;THinking out loud - maybe because I don't have the APM profile attached to the http VS.So setup a pool and reverse proxy it from the http to the https vs&nbsp;I have done a tcpdump and I can see a rst - but nothing in the rst logsinteresting I can see the request making it to VS - i have a IRULE that captures the request and logs it !I have tried using that post and hand crafting it with curl and sending it manually - again I can see the request coming in but noting back

Forum Discussion

SAML artifact server - using redirect not post

Recent Discussions

F5APM SSO SAML OAUTH

unable to question about getting hsl data to be formatted properly in splunk

question about getting hsl data to be formatted properly in splunk

Problem with lets encrypt and redirect after update

automatic learning logs/report ?

Related Content

Http redirection

http2https redirection

Redirect single URL (hostname) only.

iRule to redirect traffic to a server

Redirect rewrite iRule

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS