For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Julio_Navarro's avatar
Julio_Navarro
Icon for Cirrostratus rankCirrostratus
Jul 14, 2014

Using APM as a SAML IdP no SSO portal

Hello;

 

I was able to configure the LTM as a Identity Provider (IdP) so my users will go to a website (for example : assist.mydomain.com) where is hosted the Application Policy/VIP on my LTM. If the user is authenticated, it will be redirect to the webtop. From there, the user can click on the link of the webtop resource (that is configured with SSO with an external Service Provider (SP))....and All this work perfect. Nice...

 

Now, I was asked to omit the webtop entirely. I tried this configuration : http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-saml-config-guide-11-3-0/3.htmlconceptid

 

...With no luck. After authenticating, the redirect page will not go anywhere and display "Connection was reset"

 

Please advise

 

Thank you

 

4 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 14, 2014

    What you have now is considered an "IdP-initiated" config. The user logs onto the webtop, and the various links generate a SAML assertions to their respective SPs. The opposite of this is an "SP-initiated" config, where the user goes to the SP first, which redirects to the IdP for authentication, and then back to the SP with the assertion. The configuration of this is very similar to what you already have, except instead of assigning the IdP profile to a SAML resource, you simply assign the IdP profile as an SSO to the primary access policy itself (with no webtop).

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 16, 2014

    I'm assuming the metadata between the two entities is correct, given that it works in the IdP-initiated format. I would personally install the SAMLTracer extension in Firefox and test it with this tool. This will tell you where the traffic is going and what the SAML messages look like. It's very likely a configuration somewhere, but without more details it's hard to say.

     

  • BrentJ_104034's avatar
    BrentJ_104034
    Icon for Nimbostratus rankNimbostratus
    Jul 17, 2014

    Try this.

     

    https://devcentral.f5.com/questions/saml-idp-initiated-connections Worked a treat for me.

     

    I've used this as the basis for a common SAML IDP initiated launch pad as we also didn't want the web top to display either and wanted IDP initiated SAML to act in the same way as SP initiated SAML assertions and not display a webtop.

     

    To use as a common launch point we provide our users with a launch url ie. http://samllaunch.idp.example.com?SPNAME then convert this to a session variable via an iRule then along with LDAP authentication to ensure the user is allowed access to the resource assign the resource and the SAML assertion.

     

    Used in conjunction with the iRule we can use this to launch multiple IDP initiated assertions without displaying a web top. Note: you still have to setup and assign the resources in the normal way (i.e assign a webtop and the saml resource based on your criteria) for this to work. It's just your webtop never gets displayed. Hope this is useful info.

     

    Cheers

     

  • Julio_Navarro's avatar
    Julio_Navarro
    Icon for Cirrostratus rankCirrostratus
    Jul 17, 2014

    Thank you Brent! I agree with you! I ended doing an iRule....good part of it is that is giving flexibility to us to manage the different portal through the iRule.

     

    Thank you again.