SAML Idp federated with Service-Now

Hi

Are you sure that your %{session.logon.last.username} is an email address format ?

Deepnding on the VPE [logon] oject, if you "Split the username" , then the %{session.logon.last.username} is a "simple" name format.

I had a situation necently where I needed to change to %{session.logon.last.logonname}

Just to clarify ... my situation wasnt with Service-Now, but I did need to pass the full email address (logon name) across as a "userPrincipleName" attribute

Hi Turn up SSO debugging and you may get more insight to the error in /var/log/apm log

Once a APM session is started, either do a "sessiondump -allkey | grep .last." at the APM CLI, or run a report via the APM GUI and look at the session.logon.last session varibles for your session. Is there a {session.logon.last.username or session.logon.last.logonname ?)

Also use SAML tracer in Firefox to look at the SAML assertion that your browser is posting (if you are getting to that point).

Your error above may be the "SP Entity ID" value that is mismatched between the APM and Service-now (not sure, so double check).

There also seems to be a mismatch of certs/keys used to sign and decrypt the assertion on either side. Check you have the same combination of settings either side (start with signing but not encrypting).

Lastly, depending on the version of APM, there is an issue with soecial cahracters in the asserion.... there is an irule fix to ensure the Assertion is preserved as initially created

maybe look at

http://wiki.servicenow.com/index.php?title=SAML_2.0_Web_Browser_SSO_Profile https://wiki.servicenow.com/index.php?title=SAML_2.0_Troubleshooting

and "Fixing F5 BIG-IP SAML Authentication Requests" blog

http://blog.routedlogic.net/?p=480

HTH

Gary

It also appears that my client/server ssl profile need to be included the CA/Chain?

It is getting more interesting as we progress: 1. We had to get a new client/server certificate and converted to jks format for the SP's keystore since they used the wildcard (*) certificate. 2. We enable AuthReq and SLO that required the assertion to be signed on the SP side. Now, I think we will also have to change the SAML Idp setting for assertion subject value to SAML Idp as sAMAccountName=%{session.logon.last.username} or sAMAccountName=%{session.session.ssl.cert.last.cn} ???

Thasin, Can you be a little more specific when it started to fail? Download Firefox SAML tracer and look up the error message to determine where it fail.

Enable debug as following, and check the logs for the error.

tmsh modify apm sso saml /Common/myIdP log-level debug

Check thedebug logs in /var/log/apm

Which version are you using? BZ 428390 affects SAML logging

Oct 28 16:33:24 emaarhoapm1 notice apd[12930]: 01490010:5: 5c3c848a: Username 'shijog' Oct 28 16:33:26 emaarhoapm1 notice apd[12930]: 01490008:5: 5c3c848a: Connectivity resource '/Common/emaar_dev' assigned Oct 28 16:33:26 emaarhoapm1 notice apd[12930]: 01490128:5: 5c3c848a: Webtop '/Common/emaar_smal_webtop' assigned Oct 28 16:33:26 emaarhoapm1 notice apd[12930]: 01490005:5: 5c3c848a: Following rule 'fallback' from item 'Advanced Resource Assign' to ending 'Allow' Oct 28 16:33:26 emaarhoapm1 notice apd[12930]: 01490102:5: 5c3c848a: Access policy result: Full Oct 28 16:33:26 emaarhoapm1 warning tmm1[16307]: 014d0002:4: 5c3c848a: SSOv2 Authn Request has no Signature element Oct 28 16:33:26 emaarhoapm1 warning tmm1[16307]: 014d0002:4: 5c3c848a: SSOv2 Authn Request has no Signature element Oct 28 16:33:37 emaarhoapm1 warning tmm1[16307]: 014d0002:4: 5c3c848a: SSOv2 Authn Request has no Signature element Oct 28 16:33:55 emaarhoapm1 notice tmm1[16307]: 01490521:5: 2782480d: Session statistics - bytes in: 11415, bytes out: 9512 Oct 28 16:34:07 emaarhoapm1 warning tmm1[16307]: 014d0002:4: 5c3c848a: SSOv2 Authn Request has no Signature element Oct 28 16:34:26 emaarhoapm1 notice tmm1[16307]: 01490501:5: 5c3c848a: Session deleted due to user logout request.

SSOv2 Authn Request has no signature element - what it means

BIG-IP software version 11.5.1 HF5

BigIP as IdP is expecting the Authentication request from SP to be signed. In this case since it is not signed disable that.

tmsh modify apm sso saml-sp-connector /Common/mySP is-authn-request-signed false

BigIP as IdP is expecting the Authentication request from SP to be signed. In this case since it is not signed disable that.

tmsh modify apm sso saml-sp-connector /Common/mySP is-authn-request-signed false