I am using APM (TMOS 184.108.40.206) as SP and ADFS as IdP. The setup works, but I also must automate the process of renewing the signing certificate of IdP because it is changed regularly and automaticaly on ADFS.
I have tried to setup Access/Federation/SAML Service Provider/Connector Automation. But I do not see any attempts of BIG-IP trying to reach URL with ADFS xml. Log file /var/log/saml_automation.log is empty. Any idea how to debug this kind of issue?
I am also aware of bug 755739 which prevents importing metadata from IdP if they contain SPSSODescriptor. Metadata file from ADFS I have to federate with contains this descriptor. Does this bug affect process of connector automation? As far as I understand it should.
I will partially answer myself. BIG-IP started to poll metadata file from configured URL after I restarted service samlidpd.
tmsh restart /sys service samlidpd
Anyway. Now I ran into another problem because I get a message "Tag value to create object name is empty" in /var/log/saml_automation.log. Is there any howto documentation with examples how to configure this functionality? I have read this article, but I did not succeed.
Not yet. But I at least solved this problem with empty Tag value. The problem was that I was using element (tag) which had sub elements with attributes. Once I changed it to an element which does have only value in it the IdP connector is successfully created. But I also had to upgrade to version 220.127.116.11 (in the lab). On version 14 the metadata provided by IdP cannot be imported because of the bug I linked in the original post.
Anyway I have opened SR for IdP automation functionality and will post a result once it is solved. Now the status is that BIG-IP creates IdP connector but does not bind it to a SP service. If binding is done manually it works. But of course the goal is to automate this process.
I didn't get it when you say element which has sub element? which field are you talking about?
However, kind of same thing is happening with as well, it creates a IDP from metadata url if I use value as * for Metadata Tag For IdP Connector Name but doesn't bind this with SP.
if I use anything else than that then it doesn't even create IDP. I am already on 15.1.0.
I have also opened a SR for this issue, hope we will get some response soon.
May 13 16:59:57 IdP automation /Common/ripin is fetching metadata from url https://"metdataurl"
Success: Cmd- /usr/bin/md5sum /tmp/xml_meta.xml
Cur MD5 - [648b0c77eb76ae50cf785d1345e03]
Prev MD5 - 
May 13 16:59:58 Tag value to create object name is empty.
May 13 16:59:58 Deleting IdP object association /Common/MIIDpDCCAoygAwIBAgIGAWaqTH5tMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG_A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0Y_43c4bc8cdefdcd5374303d248b9aa630
May 13 16:59:58 Deleting SAML IdP connector /Common/MIIDpDCCAoygAwIBAgIGAWaqTH5tMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG_A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0Y_43c4bc8cdefdcd5374303d248b9aa630
May 13 17:00:55 saml_timer_cb Objname is empty