Forum Discussion

Nimbostratus

Sep 17, 2015

SP-Initated SAML redirects to webtop?

I have a policy setup with 2 SAML resources. IDP-Initiated connections for both work fine. SP-Initiated however is giving me a headache. The first resource is working properly with SP-Initiated ...

BIG-IP Access Policy Manager (APM)

cloud

security

Michael_Koyfman

Cirrocumulus

Sep 18, 2015

Hard to say, but most likely there is a mismatch on the SAML configuration side somewhere - maybe SP, maybe the IDP.

For starters, since you say that you have two SPs, I suggest performing HTTPWatch or similar and checking if the URLs that SPs use to initiate the connection to the IDP are identical - if not, you might have a configuration mismatch on the SP side.

Start by checking that first. You can also enable SSO debug log and see if there are any notices/errors reported there

edgoad_211171
Nimbostratus
Sep 18, 2015
Thanks for your feedback. I have used HTTPWatch and I am getting completely different readings from both resources. For resource1, the login process appears to POST to https://login.company.com/saml/idp/profile/redirectorpost/sso. For resource2, the login process appears to POST to http://login.company.com/my.policy. However, I am not familiar enough with SAML to know if this is wrong, or just another way to work it.
Michael_Koyfman
Cirrocumulus
Sep 18, 2015
I am glad my suggestion was in the right direction. Not knowing details of resource2, I am guessing that SAML configuration on resource 2 side is mess up - please review it.
edgoad_211171
Nimbostratus
Sep 18, 2015
Out of curiosity, the authentication seems to be working, just the flow through the F5 (for whatever reason) isnt completing. Since the resource is sending the user to a unique URL (https://login.company.com/idp/resource2), is there some way I can force it? Can I use an iRule or something to select the SAML resource for the user?