For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

edgoad_211171's avatar
edgoad_211171
Icon for Nimbostratus rankNimbostratus
Sep 17, 2015

SP-Initated SAML redirects to webtop?

I have a policy setup with 2 SAML resources. IDP-Initiated connections for both work fine. SP-Initiated however is giving me a headache.   The first resource is working properly with SP-Initiated ...
BIG-IP Access Policy Manager (APM)
cloud
security
edgoad_211171's avatar
edgoad_211171
Icon for Nimbostratus rankNimbostratus
Sep 18, 2015

I somewhat stumbled across the solution, it was the login URL that was set for the second resource.

 

When we started the setup, they asked for the login URL, which I assumed was https://login.company.com/idp/resource2 since that was the IDP Entity ID. It wasn't until I compared the metadata from my IDPs and the working service provider, that I realized it should have been https://login.company.com/saml/idp/profile/redirectorpost/sso.

 

Once the SP updated their system to use the new URL, everything worked great. Though I am somewhat surprised it was this hard to get working. Is it normal for people to need to sniff transactions and reverse-engineer packet captures to make this work?

 

  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Sep 18, 2015
    Glad you got this working! SAML is not the easiest thing in the world, but once you get a hang of it and set up a few IDP/SP relationships, you'll be easily verses in all its pitfalls.
  • Walter_Kacynski's avatar
    Walter_Kacynski
    Icon for Cirrostratus rankCirrostratus
    Sep 20, 2015
    I would say that HTTP tracing is very normal with SAML.