Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

APM as SAML Service Provider and IdP connector automation




I am using APM (TMOS as SP and ADFS as IdP. The setup works, but I also must automate the process of renewing the signing certificate of IdP because it is changed regularly and automaticaly on ADFS.


I have tried to setup Access/Federation/SAML Service Provider/Connector Automation. But I do not see any attempts of BIG-IP trying to reach URL with ADFS xml. Log file /var/log/saml_automation.log is empty. Any idea how to debug this kind of issue?


I am also aware of bug 755739 which prevents importing metadata from IdP if they contain SPSSODescriptor. Metadata file from ADFS I have to federate with contains this descriptor. Does this bug affect process of connector automation? As far as I understand it should.





I will partially answer myself. BIG-IP started to poll metadata file from configured URL after I restarted service samlidpd.

tmsh restart /sys service samlidpd

Anyway. Now I ran into another problem because I get a message "Tag value to create object name is empty" in /var/log/saml_automation.log. Is there any howto documentation with examples how to configure this functionality? I have read this article, but I did not succeed.


Hi Martin, Were you able to solve this issue? I am facing exactly the same issue getting this error "Tag value to create object name is empty."

Not yet. But I at least solved this problem with empty Tag value. The problem was that I was using element (tag) which had sub elements with attributes. Once I changed it to an element which does have only value in it the IdP connector is successfully created. But I also had to upgrade to version (in the lab). On version 14 the metadata provided by IdP cannot be imported because of the bug I linked in the original post.


Anyway I have opened SR for IdP automation functionality and will post a result once it is solved. Now the status is that BIG-IP creates IdP connector but does not bind it to a SP service. If binding is done manually it works. But of course the goal is to automate this process.


I didn't get it when you say element which has sub element? which field are you talking about?


However, kind of same thing is happening with as well, it creates a IDP from metadata url if I use value as * for Metadata Tag For IdP Connector Name but doesn't bind this with SP.

if I use anything else than that then it doesn't even create IDP. I am already on 15.1.0.


I have also opened a SR for this issue, hope we will get some response soon.


May 13 16:59:57 IdP automation /Common/ripin is fetching metadata from url https://"metdataurl"

Success: Cmd- /usr/bin/md5sum /tmp/xml_meta.xml

Cur MD5 - [648b0c77eb76ae50cf785d1345e03]

Prev MD5 - []

May 13 16:59:58 Tag value to create object name is empty.

May 13 16:59:58 Deleting IdP object association /Common/MIIDpDCCAoygAwIBAgIGAWaqTH5tMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG_A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0Y_43c4bc8cdefdcd5374303d248b9aa630

May 13 16:59:58 Deleting SAML IdP connector /Common/MIIDpDCCAoygAwIBAgIGAWaqTH5tMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG_A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0Y_43c4bc8cdefdcd5374303d248b9aa630

May 13 17:00:55 saml_timer_cb Objname is empty