cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

APM SAML CITRIX Stroefront

Dathi
Nimbostratus
Nimbostratus

Using APM as SAML SP with external Idp connector ADFS.

Followed this article https://devcentral.f5.com/s/articles/citrix-federated-authentication-service-integration-with-apm-24489:

 

F5 is passing the logonpage to ADFS but not able to pass SSO to Storefront.

APM logs show " Could not find SSO username, check SSO credential mapping agent.

 

24 REPLIES 24

boneyard
MVP
MVP

can you confirm session.saml.last.nameIDValue i assigned the correct value?

Dathi
Nimbostratus
Nimbostratus

yes it does. Its the the username I used to login.

weird, does the storefront side show something useful, like the username or a hint on a bad password?

Dathi
Nimbostratus
Nimbostratus

It does not go that far. After authenticating at ADFS page , the next page it lands is the storefront logon page with the username in the username field and empty password. It seems as if , its waiting on use to enter the pwd and click LOGON.

boneyard
MVP
MVP

most likely because it doesnt appear to the have the username ready, but that is difficult to check via a questions section like this, i would engage F5 support by now. easier to check things for them in a live enviroment.

Dathi
Nimbostratus
Nimbostratus

Thank you yes , I support is involved but they are unable to determine where the problem is. I am not a SAML expert but from what I know, SAML just passes or should pass a token to the citrix storefront. I cannot see where the disconnect is.

i saw another question which triggered something.

 

which SSO method are you using currently? because if you get a username and password login that will logically fail i believe. you dont pass on the SAML assertion, that gets accepted by big-ip which then has to do passwordless SSO i believe, so Kerberos for example.

Dathi
Nimbostratus
Nimbostratus

the goal is to use SAML and my APM looks like this.0691T000009j6KPQAY.png

yeah, sorry got confused, you did configure your Citrix Federated Authentication Service (FAS) as described at the start of the article you link at the start?

 

Dathi
Nimbostratus
Nimbostratus

Yes, its configured. But it only comes into picture when the user attempts to launch an app after successful SSO'ing to storefront. In my case, the SSOing is not happening from F5 APM to Storefront.

dromerot
Nimbostratus
Nimbostratus

Hi Dathi,

 

Have you able to pass SSO to Storefront? I don't see any traffic from APM to Storefront. Only health check traffic. I see the log "Following rule 'fallback' from item 'Session Variable Assign' to ending 'Allow'" but I don't see any packet from APM to Storefront.

 

However, I can see the right SAML Assertion and the right username got from IdP in the APM.

 

Thanks, best regards.

No, actually, it stands as is. F5 tech support was not able to determine the flow or the bottleneck. I am still looking for answers.

Hi Dathi,

 

Thanks.

 

On the other hand, I see an iRule in the Virtual Server, which has been added automatically with the iApp and I don't know if I have to delete it.

 

I've read in the link you posted "12/21/2016 - Removed an iRule that is not needed for SSO to function properly in a complete deployment".

 

Maybe we have to delete this iRule! I don't know!

 

Thanks, best regards.

Dathi
Nimbostratus
Nimbostratus

There wasn't any irule set automatically.

OK Dathi,

 

I've deployed the iApp Citrix VDI 2.4.6 and it set an iRule automatically to the Virtual Server. It is this one:

 

0691T00000BGMtsQAH.png

Dathi
Nimbostratus
Nimbostratus

Yes, I see this as well but removing this has also not helped.

dromerot
Nimbostratus
Nimbostratus

Hi Dathi,

 

Did you manage to pass SSO to Storefront?

 

I think, we have to send "session.saml.last.nameIDValue" to STF but I don't know if we have to send it via HTTP Header or POST.

 

Thanks, best regards.

Tinkerer
Nimbostratus
Nimbostratus

I was wondering the same thing. We've run into the same issue.

 

Thanks.

Tinkerer
Nimbostratus
Nimbostratus

We are having the same issue.

exactly the same?

 

what have you already tried?

 

do you have any experience with SSO from APM?

Rob_Young
Altostratus
Altostratus

Looking for assistance on this as well. We are currently testing AzureAD SAML to our APM (which works) but now we would like to login to our citrix enviornment. doesnt matter if it is f5 webtop or storefront. I have even setup FAS (which works internally). I just cannot figure out how to authenticate to our CItrix environment. Any guidance would be appreciated.

Dathi
Nimbostratus
Nimbostratus

I opened a ticket with Citrix and they claim that F5 as SAML idp will not work with storefront. But I am still not convinced. There may be other people who might have got it working.

Citrix doesnt actually support F5 APM and have stated for years that it is an unsupported configuration so you won't get help from that side.

Let me know if you make any progress.  I am currently in the same boat.  It would be nice if F5 came out with a guide on this config.

Dathi
Nimbostratus
Nimbostratus

was anyone able to get this working ?