F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

GBurch's avatar
GBurch
Icon for Altostratus rankAltostratus
Jun 12, 2020

SP Initiated SAML Authentication stops at Webtop page

I'm trying to set up a new SAML connection with an external 3rd Party. I have one similar SAML connection set up and functioning with a different 3rd Party, but I can't see the difference between th...
application delivery
BIG-IP Access Policy Manager (APM)
saml
webtop
youssef1's avatar
youssef1
Icon for Cumulonimbus rankCumulonimbus
Jun 15, 2020

very well I understood your deployment.

 

so you have 2 saml ressources, for each saml resource it must have its own IDP bind to the SP.

in your access profile you need to set SAML ressources in "Advanced ressource assign" (bot old and new one).

 

did you test to connect directly on the idp URL and click on the resource directly on the webtop? it works?

 

what I suspect is that you don't match the ACS URL in the saml request. let me explain.

On the SSO/Auth Domain tab for that policy the "SSO Configuration" dropdown is set to "None", that means you don't have a default IDP.

if you would have a default IDP and no SAML resources matched. you would have had a SAML error.

 

so here is how you should proceed:

- try to access SP and capture the saml request (F5: dev tools or fiddler)

- decode URL (https://urldecoder.org)

- Then decode saml (https://samltool.com/decode.php)

 

in the saml request you will see the ACS URL, you must confirm that this is the one you configured in the external SP.

I'm sure this is the problem ...

 

Keep me in touch and tell me if you need more details. 

 

regards

 

GBurch's avatar
GBurch
Icon for Altostratus rankAltostratus
Jun 15, 2020

Is it the URL in the <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> field that I'm looking for? Which needs to match the ACS URL?