Forum Discussion

TJ_Vreugdenhil's avatar
Oct 15, 2019

F5 APM SAML from SecureAuth

We are stuck on the VPE SAML Auth action based on the APM log message. The SAML XML Deflated Content shows "Success" in the output.

Current setup:

Client > SecureAuth presented MFA page:

Client (IDP) - F5 APM (SP) > Citrix Storefront

The Requests never seem to be making it past SAML Auth action:
Oct 11 13:31:12 lb-ext1 err apmd[14020]: 0149020b:3: /Common/ACCESSTEST:Common:0ef40f05: SAML Agent: /Common/ACCESSTEST_act_saml_auth_ag, SAML AAA Server /Common/ACCESSTEST, unable to redirect user to an IdP. Error: could not find an IdP connector for saml aaa server that matches IdP selection criteria
********************
Oct 11 13:39:53 lb-ext1 err apmd[14020]: 0149020f:3: /Common/ACCESSTEST:Common:c9f13457: SAML Agent: /Common/ACCESSTEST_act_saml_auth_ag cannot find assertion information in SAML request
**********************
Oct 11 13:40:31 lb-ext1 err apmd[14020]: 0149020a:3: /Common/ACCESSTEST:Common:5147979f: SAML Agent: /Common/ACCESSTEST_act_saml_auth_ag SAML assertion is invalid, error: Id of InResponseTo should match id of authentication request
*******************
Oct 11 13:21:54 lb-ext1 notice apmd[14020]: 01490005:5: /Common/ACCESSTEST:Common:6cf6baf2: Following rule 'fallback' from item 'SAML Auth' to ending 'Deny'
**********************
********************
Configuration: 
******************************************
apm aaa saml /Common/ACCESSTEST {
   entity-id https://accesstest.company.com
   idp-connectors {
       /Common/ACCESSTEST {
           idp-matching-source "%{session.server.landinguri}"
           idp-matching-value /
       }
   }
   sp-decryption-cert /Common/SecureAuth_Citrix_Test_2019_cert.crt
   sp-decryption-key /Common/SecureAuth_Citrix_Test_2019_cert.key
   sp-host accesstest.company.com 
}
apm aaa saml-idp-connector /Common/ACCESSTEST {
   entity-id https://logon.company.com/CitrixTest/ 
   idp-certificate /Common/SecureAuth_Citrix_Test_2019_cert.crt
   sso-binding http-redirect
   sso-uri https://logon.company.com/CitrixTest/TestProdAppsWeb/
}
*************************************
apm policy policy-item /Common/ACCESSTEST_act_saml_auth {
   agents {
       /Common/ACCESSTEST_act_saml_auth_ag {
           type aaa-saml
       }
   }
   caption "SAML Auth"
   color 1
   item-type action
   rules {
       {
           caption Successful
           expression "expr {[mcget {session.saml.last.result}] == 1}"
           next-item /Common/ACCESSTEST_act_variable_assign
       }
       {
           caption fallback
           next-item /Common/ACCESSTEST_end_deny
       }
   }
}

 SAML XML Deflated Content

Deflated SAML XML content: 
<samlp:Response ID="_e9cb37db-103b-4921-afaf-393276a79450" InResponseTo="_d3de7fa9516f067ee78a84205eacf91acc2a1f" Version="2.0" IssueInstant="2019-10-11T18:40:58.758Z" Destination="https://accesstest.company.com/saml/sp/profile/post/acs" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://logon.company.com/CitrixTest/</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><saml:Assertion Version="2.0" ID="_82dc8a40-9951-478e-a16b-6b73da3d2d2e" IssueInstant="2019-10-11T18:40:58.758Z" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:Issuer>https://logon.company.com/CitrixTest/</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><Reference URI="#_82dc8a40-9951-478e-a16b-6b73da3d2d2e"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces PrefixList="#default saml ds xs xsi" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><DigestValue>Zw0basdNmLtETu9w6v9vqseADmipeHDppg8NhboScFY=</DigestValue></Reference></SignedInfo><SignatureValue>Wp5bF2SKj/Npanasb/Xv7uovuR5+NN25HdNps+/cIySmV0pi6rgahHROHJZvtTM1XSWyNcSed0uWKrAbRQQBzMHcupciVyBwF6KB7gQrh+dg3mSrzMe6C4TCebXwujTKg1XyURfLmS2+lXBwHcq2nCQGGRvGXbeuKVcdQ0vK3SXQbACxwb3ppg1lMrEshRyplzwz6sHcn4sGFi7/Q7zy17hFFOB4CwoYVrCrQhKet4LfFz6vQsAbs1arD7gLgsapNQVbRsi8jULHlvQV8zJrN2PBh4cKqNHOOD8lOlD8lCwi2AX58XB1pOz2ZniuXMun5jzyRWTTORNpYpqWtOjZ5Q==</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIGZzCCBU+gAwIBAgITXgAL7JV9V1pMYiNyMQAAAAvslTANBgkqhkiG9w0BAQsFADCB9TELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDzANBgNVBAcTBklydmluZTEfMB0GA1UEChMWU2VjdXJlQXV0aCBDb3Jwb3JhdGlvbjFCMEAGA1UECxM5KGMpIDIwMTUgU2VjdXJlQXV0aCBDb3Jwb3JhdGlvbiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczE8MDoGA1UEAxMzU2VjdXJlQXV0aCBHMyBJbnRlcm1lZGlhdGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDFBMB4XDTE5MDYyMDE3NTE1NFoXDTI1MDUxNjIwMTQwNlowgZAxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhNaXNzb3VyaTEUMBIGA1UEBxMLS2Fuc2FzIENpdHkxHTAbBgNVBAoTFEthbnNhcyBDaXR5IFNvdXRoZXJuMQswCQYDVQQLEwJTRTEsMCoGA1UEAxMjU2VjdXJlYXV0aDAxLmthbnNhc2NpdHlzb3V0aGVybi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCfefnj/mR4j2a3722hemJs6mq57IAdSgdoygpqxRQMgaeb22z7UuFdv2VZ1fv/ZTfrbLY/Qul4EqyMWoPQ3XuowZcVPCMg75XVpKcRdeRGPo0+lvVo0K+oTYGSOi2YbGAr7rR/kRNUK28yx9JAhBL4Zv4hJV1zScahIkuDETAa7UsmmcZt4QRnG8jdEZUuE3WcJbiWKtFOnJb59CbSt+0DGKXTtoczlwDFY9Pw5b73gVVAMr9Z3j/luFlWqzNuc6kTQkH+7/7GONfOtcY8AOzsL/o/0o3ahyTIGFuvyNzppueEPo64epQ5K7ij3KtnU/gl34gSEQ0j/E2YktqDBQxtAgMBAAGjggJRMIICTTAOBgNVHQ8BAf8EBAMCBPAwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBRDMzJlMkc/LWq/IBJ/wSn8f+S4wzA5BgNVHREEMjAwgglsb2NhbGhvc3SCI1NlY3VyZWF1dGgwMS5rYW5zYXNjaXR5c291dGhlcm4uY29tMB8GA1UdIwQYMBaAFAY88yj3QiBrOerad6rYkmgxhzcsMIHnBgNVHR8Egd8wgdwwgdmggdaggdOGZmh0dHA6Ly9jbG91ZC5zZWN1cmVhdXRoLmNvbS9DZXJ0SW5mby9TZWN1cmVBdXRoJTIwRzMlMjBJbnRlcm1lZGlhdGUlMjBDZXJ0aWZpY2F0ZSUyMEF1dGhvcml0eSUyMDFBLmNybIZpaHR0cDovL3VzLWNsb3VkLnNlY3VyZWF1dGguY29tL0NlcnRJbmZvL1NlY3VyZUF1dGglMjBHMyUyMEludGVybWVkaWF0ZSUyMENlcnRpZmljYXRlJTIwQXV0aG9yaXR5JTIwMUEuY3JsMIGzBggrBgEFBQcBAQSBpjCBozCBoAYIKwYBBQUHMAKGgZNodHRwOi8vY2xvdWQuc2VjdXJlYXV0aC5jb20vQ2VydEluZm8vTXVsdGlmYWN0ci1WTTIyLmJhbm5lci5tdWx0aWZhY3RvcnRydXN0My5jb21fU2VjdXJlQXV0aCUyMEczJTIwSW50ZXJtZWRpYXRlJTIwQ2VydGlmaWNhdGUlMjBBdXRob3JpdHklMjAxQS5jcnQwDQYJKoZIhvcNAQELBQADggEBAMll4CeLg3lEqf9XWr5NnSMDVyizCXRsKm02m3sEKlvmb8j3baWHJLn7N4wXmBHpDLbtVySa+UbbGm8+/Dtu3P0SJj4GI3NxYKsYJigiBm5E3wzsC2jX8Tm4ni7H7u9ixWXyl2aA6lPLWhVBOzQWTVWElPe5fly0/3QA3RxI+WaUUkhq6+oigF5RagPOd4BEtoj3+7i0BrPARSUyqJj9YSn1q6fd4Tq/vZU4NKeQvCRCcWVabO3ZtcoMwYg7SvawhzJ6RfX+LVLeyBpRt+YgQyRj8PvNgpCdL4M9opIVDcvX18IoaSs1YH72xxXpEi02Ig2TLazEglwTz8lVGweGFa4=</X509Certificate></X509Data></KeyInfo></Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">test2013ex07</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2019-10-11T19:40:58.758Z" Recipient="https://accesstest.company.com/saml/sp/profile/post/acs" InResponseTo="_d3de7fa9516f067ee78a84205eacf91acc2a1f" /></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2019-10-11T18:40:58.758Z" NotOnOrAfter="2019-10-11T19:40:58.758Z"><saml:AudienceRestriction><saml:Audience>https://accesstest.company.com</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2019-10-11T18:40:58.758Z" SessionIndex="_d3de7fa9516f067ee78a84205eacf91acc2a1f"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="Password" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue>SecureAuth!</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>