Forum Discussion
NimbostratusSP-Initated SAML redirects to webtop?
I have a policy setup with 2 SAML resources. IDP-Initiated connections for both work fine. SP-Initiated however is giving me a headache.
The first resource is working properly with SP-Initiated SAML assertions.
- User goes to https://resource1.com
- User is redirected to https://login.company.com/idp/resource1
- User types in credentials
- User is redirected to https://resource1.com/foo (based on the relay state attribute)
The second resource however doesnt flow completely.
- User goes to https://resource2.com
- User is redirected to https://login.company.com/idp/resource2
- User types in credentials
- User is presented with the full webtop
- User has to click the icon for resource2
- User is redirected to https://resource2.com/foo
The second resource isn't performing the final redirect as expected. Instead, they are shown the full webtop and have to manually select the resource they want.
Is there any way to make resource2 operate the same as resource1? Is this something that needs to be updated at the IDP or SP?
14 Replies
Michael_Koyfma1Cirrus
Hard to say, but most likely there is a mismatch on the SAML configuration side somewhere - maybe SP, maybe the IDP.
For starters, since you say that you have two SPs, I suggest performing HTTPWatch or similar and checking if the URLs that SPs use to initiate the connection to the IDP are identical - if not, you might have a configuration mismatch on the SP side.
Start by checking that first. You can also enable SSO debug log and see if there are any notices/errors reported there
edgoad_211171Thanks for your feedback. I have used HTTPWatch and I am getting completely different readings from both resources. For resource1, the login process appears to POST to https://login.company.com/saml/idp/profile/redirectorpost/sso. For resource2, the login process appears to POST to http://login.company.com/my.policy. However, I am not familiar enough with SAML to know if this is wrong, or just another way to work it.- Michael_Koyfma1I am glad my suggestion was in the right direction. Not knowing details of resource2, I am guessing that SAML configuration on resource 2 side is mess up - please review it.
- edgoad_211171Out of curiosity, the authentication seems to be working, just the flow through the F5 (for whatever reason) isnt completing. Since the resource is sending the user to a unique URL (https://login.company.com/idp/resource2), is there some way I can force it? Can I use an iRule or something to select the SAML resource for the user?
Michael_KoyfmanCirrocumulus
Hard to say, but most likely there is a mismatch on the SAML configuration side somewhere - maybe SP, maybe the IDP.
For starters, since you say that you have two SPs, I suggest performing HTTPWatch or similar and checking if the URLs that SPs use to initiate the connection to the IDP are identical - if not, you might have a configuration mismatch on the SP side.
Start by checking that first. You can also enable SSO debug log and see if there are any notices/errors reported there
- edgoad_211171Thanks for your feedback. I have used HTTPWatch and I am getting completely different readings from both resources. For resource1, the login process appears to POST to https://login.company.com/saml/idp/profile/redirectorpost/sso. For resource2, the login process appears to POST to http://login.company.com/my.policy. However, I am not familiar enough with SAML to know if this is wrong, or just another way to work it.
- Michael_KoyfmanI am glad my suggestion was in the right direction. Not knowing details of resource2, I am guessing that SAML configuration on resource 2 side is mess up - please review it.
- edgoad_211171Out of curiosity, the authentication seems to be working, just the flow through the F5 (for whatever reason) isnt completing. Since the resource is sending the user to a unique URL (https://login.company.com/idp/resource2), is there some way I can force it? Can I use an iRule or something to select the SAML resource for the user?
- Stanislas_Piro2
Cumulonimbus
Hi, to use IDP initiated SAML, you created 2 idp profiles? one for each sp.
the SP initiated SAML use idp as SSO profile. as you have 2 IDP depending on the SP requesting, you need to assign with an irule a different so for the second ressource.
you can see how to change so profile here
- Stanislas_Piro2
Hi,
ACCESS_ACL_ALLOWED Évent raise when user request is allowed by apm.
It raise just after HTTP_REQUEST When user is authenticated.
On the last irule, the condition is not referrer but the host name...
If the host name is the same for both IDP, you can filter on HTTP::path instead of HTTP::host
- Walter_Kacynski
Cirrostratus
"For resource2, the login process appears to POST to http://login.company.com/my.policy"
Can you re-configure resource 2 to issue a post to the correct URL? It seems like the meta-data that you have configured i resource 2 is incorrect. Maybe it is only referencing the root url and not the SAML redirect URL?
- edgoad_211171
I somewhat stumbled across the solution, it was the login URL that was set for the second resource.
When we started the setup, they asked for the login URL, which I assumed was https://login.company.com/idp/resource2 since that was the IDP Entity ID. It wasn't until I compared the metadata from my IDPs and the working service provider, that I realized it should have been https://login.company.com/saml/idp/profile/redirectorpost/sso.
Once the SP updated their system to use the new URL, everything worked great. Though I am somewhat surprised it was this hard to get working. Is it normal for people to need to sniff transactions and reverse-engineer packet captures to make this work?
- Michael_Koyfma1Glad you got this working! SAML is not the easiest thing in the world, but once you get a hang of it and set up a few IDP/SP relationships, you'll be easily verses in all its pitfalls.
- Walter_KacynskiI would say that HTTP tracing is very normal with SAML.
