Im trying to bind two SP on same IdP.but I get the following error. MCP Error01070734:3: Configuration error: When saml_sso_config (/Common/IdP) object is assigned to saml_resource (/Common/SAML_Resource), it should have only one sp_connector object associated with it. Any help would be appreciated. Thanks

What exactly is the scenario you are trying to achieve? Can you please describe? You can't bind multiple SP connectors to one IDP connector if you are configuring a scenario where IDP-initiated connections are possible. Please share a bit more about the scenario and you'll get the best on advice on how to implement it.

Our SAML scenario is for both IdP and SP initated connections We have to do a SAML auth to our partner for two env. Staging and production. Staging is configured as this and I would like to use the same IdP for production. -Vitual server -Access Policy with advance ressource assignment Saml ressource and Webtop -iRule for NTLM auth from internal network -iRule for detection of an SP intiated (not sending redirect) or IdP initiated (sending redirect)

You would have to duplicate the IDP configration then - it could be completely identical in everything except the actual config object name - so like IDP_prod and IDP-staging. Then you'd be able to bind each separately to the respective SP connector and use them to publish on the webtop

SAML IDP - multiple SP

11 Replies

Michael_Koyfma1
Cirrus
Apr 15, 2016
What exactly is the scenario you are trying to achieve? Can you please describe? You can't bind multiple SP connectors to one IDP connector if you are configuring a scenario where IDP-initiated connections are possible. Please share a bit more about the scenario and you'll get the best on advice on how to implement it.
- CDG
  Nimbostratus
  Apr 15, 2016
  Our SAML scenario is for both IdP and SP initated connections We have to do a SAML auth to our partner for two env. Staging and production. Staging is configured as this and I would like to use the same IdP for production. -Vitual server -Access Policy with advance ressource assignment Saml ressource and Webtop -iRule for NTLM auth from internal network -iRule for detection of an SP intiated (not sending redirect) or IdP initiated (sending redirect)
- Michael_Koyfma1
  Cirrus
  Apr 15, 2016
  You would have to duplicate the IDP configration then - it could be completely identical in everything except the actual config object name - so like IDP_prod and IDP-staging. Then you'd be able to bind each separately to the respective SP connector and use them to publish on the webtop
- CDG
  Nimbostratus
  Apr 15, 2016
  Done this. but no luck... If I assigned 2 saml resource on the same webtop. Now I get ..../vdesk/hangup.php3 Can you help to modify the redirect iRule? Redirect iRules when ACCESS_POLICY_COMPLETED { if { [ACCESS::session data get session.server.landinguri] == "/saml/idp/profile/redirectorpost/sso" } { log local0. "SP initiated SAML detected, not sending redirect" } else { ACCESS::respond 302 Location "/saml/idp/res?id=[ACCESS::session data get session.assigned.resources.saml]" log local0. "IDP initiated SAML detected, sending redirect" } }
Michael_Koyfman
Cirrocumulus
Apr 15, 2016
What exactly is the scenario you are trying to achieve? Can you please describe? You can't bind multiple SP connectors to one IDP connector if you are configuring a scenario where IDP-initiated connections are possible. Please share a bit more about the scenario and you'll get the best on advice on how to implement it.
- CDG
  Nimbostratus
  Apr 15, 2016
  Our SAML scenario is for both IdP and SP initated connections We have to do a SAML auth to our partner for two env. Staging and production. Staging is configured as this and I would like to use the same IdP for production. -Vitual server -Access Policy with advance ressource assignment Saml ressource and Webtop -iRule for NTLM auth from internal network -iRule for detection of an SP intiated (not sending redirect) or IdP initiated (sending redirect)
- Michael_Koyfman
  Cirrocumulus
  Apr 15, 2016
  You would have to duplicate the IDP configration then - it could be completely identical in everything except the actual config object name - so like IDP_prod and IDP-staging. Then you'd be able to bind each separately to the respective SP connector and use them to publish on the webtop
- CDG
  Nimbostratus
  Apr 15, 2016
  Done this. but no luck... If I assigned 2 saml resource on the same webtop. Now I get ..../vdesk/hangup.php3 Can you help to modify the redirect iRule? Redirect iRules when ACCESS_POLICY_COMPLETED { if { [ACCESS::session data get session.server.landinguri] == "/saml/idp/profile/redirectorpost/sso" } { log local0. "SP initiated SAML detected, not sending redirect" } else { ACCESS::respond 302 Location "/saml/idp/res?id=[ACCESS::session data get session.assigned.resources.saml]" log local0. "IDP initiated SAML detected, sending redirect" } }
CDG
Nimbostratus
Apr 19, 2016
I may look at the wrong direction. The iRule may not work with multiple SAML ressource on a Webtop. In fact, it means now the I have an issue with the SP-initiated connection.

Is there any reason why an SP-initiated hit https://login.com/my.policy instead of redirecting automatically to the SP after a sucessfull AD auth process?
- CDG
  Nimbostratus
  Apr 25, 2016
  From the SP metadata...the service provide configured the use=signing and use=encryption with a certificate. APM was expecting the SP to include a signature in their AuthN Request for SP-Initiated connections but that was not the case. Modifying the SAML SP Connector/Security Settings/ "Will be signed" from yes to no fixed the problem.
CDG
Nimbostratus
Apr 25, 2016
From the SP metadata...the service provide configured the use=signing and use=encryption with a certificate.

APM was expecting the SP to include a signature in their AuthN Request for SP-Initiated connections but that was not the case.

Modifying the SAML SP Connector/Security Settings/ "Will be signed" from yes to no fixed the problem.