Forum Discussion

Altostratus

Jun 12, 2020

SP Initiated SAML Authentication stops at Webtop page

I'm trying to set up a new SAML connection with an external 3rd Party. I have one similar SAML connection set up and functioning with a different 3rd Party, but I can't see the difference between th...

application delivery

BIG-IP Access Policy Manager (APM)

saml

webtop

GBurch

Altostratus

Here's the traffic I'm seeing from the browser's developer tools:

I send an HTTP GET request to the external webpage, it responds with 302 FOUND which has a location header of https://<internal address of our F5>/saml/idp/profile/redirect/sls?SAMLRequest=<Long String of Characters>&RelayState=<What looks to be the encoded URL that I originally visited>
There's another HTTP GET to the location header from above. This returns 302 MOVED TEMPORARILY, and includes SAMLRequest and RelayState as Query String Parameters.
After this, it's just the traffic to load the Webtop page

I pasted the value of the SAMLRequest Query String into the URL Decoder you posted above, but it doesn't change the string (it just looks like random characters). I tried it with the value of the RelayState Query String, which does decode some of the characters, but not all. I tried pasting both outputs in the SAML decoder you posted above, but it didn't return anything.

GBurch

Altostratus

Jun 17, 2020

I've managed to decode the SAMLRequest data by pasting it straight into the SAML Decode tool, rather than decoding the URL first.

The desoced SAML response I get is:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://[internal address of F5]/saml/idp/profile/redirect/sls" ID="_aff60f5600c35a9c6ba7c629056c96ea" IssueInstant="2020-06-17T10:07:09.436Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://[FQDN of external website]</saml2:Issuer>
</saml2p:AuthnRequest>

Is it the value of the <saml2:Issuer> tag I'm looking at? The FQDN of this matches the FQDN of the ACS URL configured on the F5 under Access -> Federation -> SAML Identity Provider -> External SP Connectors. However, the ACS URL has additional file path which is not present in the decoded XML above. Does this meet to match exactly, or is this enough for the F5 to match the request up with the correct SAML Resource?

The URL from the decoded XML above does match the Entity ID listed on the SP Connector

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

SP Initiated SAML Authentication stops at Webtop page

Recent Discussions

APM with EntraID as idP / request signed

Should config via cli rather than gui?

Background Tasks

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Proxy Protocol v2 Initiator

Proxy Protocol Initiator

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

Doing mTLS Authentication per URL

Application Programming Interface (API) Authentication types simplified

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS