For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Alex_Zaytsev_13's avatar
Alex_Zaytsev_13
Icon for Nimbostratus rankNimbostratus
Aug 26, 2013

SAML Request - deflating error?

I am attempting to get a SAML response for SP initiated SSO. I have confgiured the trust between the F5 and the application, and i am seeing the SAMLRequest being sent to my F5 endpoint like so:

GET /saml/idp/profile/redirectorpost/sso?SAMLRequest=ICA8c2FtbHA6QXV0aG5SZ{BASE64}c3Q%2B HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-AU
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: 192.168.1.27
DNT: 1
Connection: Keep-Alive
Cookie: LastMRH_Session=12aae297; MRHSession=4328dcc453f7696f9123689d12aae297; F5_ST=1,1,1,1377475129,604800

The actual SAML Request follows: 

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
ID="_bec424fa5103428909a30ff1e31168327f79474984" 
Version="2.0" IssueInstant="2013-08-26T00:22:59.184Z" 
ForceAuthn="false" IsPassive="false" 
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="MYSERVICESPURL">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">SPConnectorURN</saml:Issuer>
<samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" 
SPNameQualifier="MYSERVICEURL" AllowCreate="true" />
<samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
Comparison="exact">
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

However, the F5 closes connection and logs the following in the APM log: 

SSOv2 Error(12) Deflating Authn Request

I think this may be the problem with the request in the application, but i can't see why would that request me wrong?

BIG-IP Access Policy Manager (APM)
saml
security

2 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Aug 27, 2013

    After some testing I can say that there doesn't seem to be anything wrong with the request itself. I do have a few follow on questions though:

     

    1. Your GET request to the IdP has an MRHSession token. Is this from a previous request to the IdP, or have you configured domain cookies with another APM policy?

       

    2. Does your "AssertionConsumerServiceURL" value contain any special characters? An ampersand maybe?

       

    3. What product is providing the SP function?

       

    4. Can you share a more detailed description of your config?

       

  • kj07208_118528's avatar
    kj07208_118528
    Icon for Cirrus rankCirrus
    Oct 16, 2013

    Currently there a bug in using the Http Redirect protocol binding I was getting the same error. I opened a case with F5 to get an engineering fix and now the problem is solved.