I am wondering if someone has already successfully integrated mobile apps with F5 SP/IDP setup where SAML authentication is being used to the F5 login page.
Everything works just fine on laptops with Chrome browsers, however when we use mobile phones in this case Android with Chrome browser and applications published by Airwatch on the mobile phone we receive "invalid nonce" errors when connecting to the F5. The published applications actually open a Chrome browser tab when establishing a connection to F5 SP/IDP.
Now I installed a Fiddler proxy on my laptop to investigate and decrypt the traffic from the mobile phone and the Mobile phone is sending a request to /my policy and is providing the correct MRH cookie of the session, but F5 is responding with error page no nonce (hope you can see the image below) and the response we see that F5 is redirecting to /my.logout.php3?errorcode=21
I believe the most closely bug match is and we see the same behavior with mobile phones only. We currently use 13.1.
On the F5 LTM logs I enabled request logging and we can confirm the same, this is actually a sharepoint webserver hosted behind the F5 and we do pre SAML authentication to F5 IDP, so it acts as both SP with external IDP connector. Anyway this works seamless with desktops and Chrome browsers, but there seem to be compatibility issues between F5 SP/IDP SAML and mobile phones.
Line 113718: Oct 7 22:23:22 BEVMPSYSCAD11 info tmm: Rule /Systems/IR-troubleshooting <HTTP_REQUEST>: Client: 22.214.171.12463786 request URL is GET myf5website/my.policy and accessed Virtual Server Name /Systems/PRD_AD-BE_AUTH_PORTAL-Lvl1-HR4U_Back-End with MRHsession 79d9042576ee294006bb177fd60b31cc and load balanced to /Systems/PRD_Sharepoint_443 0 Line 113720: Oct 7 22:23:23 BEVMPSYSCAD11 info tmm: Rule /Systems/IR-troubleshooting <HTTP_REQUEST>: Client: 126.96.36.19963790 request URL is GET myf5website/my.policy and accessed Virtual Server Name /Systems/PRD_AD-BE_AUTH_PORTAL-Lvl1-HR4U_Back-End with MRHsession 79d9042576ee294006bb177fd60b31cc and load balanced to /Systems/PRD_Sharepoint_443 0 Line 113721: Oct 7 22:23:23 BEVMPSYSCAD11 info tmm: Rule /Systems/IR-troubleshooting <HTTP_REQUEST>: Client: 188.8.131.5263784 request URL is GET myf5website/my.logout.php3?errorcode=21 and accessed Virtual Server Name /Systems/PRD_AD-BE_AUTH_PORTAL-Lvl1-HR4U_Back-End with MRHsession 79d9042576ee294006bb177fd60b31cc and load balanced to /Systems/PRD_Sharepoint_443 0
So the above F5 article states the following when this occurs:
This message occurs when the following condition is met:
A client logging in to a BIG-IP APM resource provides an invalid value (cryptographic nonce) when attempting to establish the session.
Note: A cryptographic nonce (number used once) is a random or pseudo-random number that is used in authentication protocols, such as HTTP digest authentication. Generated nonce values should be sufficiently random to ensure they are not repeated in order to prevent replay attacks and session hijacking. The Invalid Nonce message indicates that a cryptographic value that the client provided to the BIG-IP APM system is not valid.
So hope anyone here got the same issues because there is not a solution for this known "bug" yet and I would like to find out what is happening here.
Hi Shawn, We don't use webtops at all on F5, all is SP initiated going to F5 IDP or just plain HTTP going directly to F5 configured as the SP itself. Why do you mention this, could you give me some more background information please?
was just thinking of trying it for troubleshooting to see if the F5 idp is working properly on device using a browser. we are doing same thing with our apps you can go directly to them or to a webtop (mainly for me for testing). but we are on version 184.108.40.206 and do not have an issue, but on 13.1 it was working as well so could be a new update on devices? i am going to 15.1 end of month to stay in supported version.
it seems that the F5 SP wants to perform the SAML auth to the external IDP connector (where the client already had an active session) but this is never executed and the F5 APM (SP) directly responds with this error message, this is so weird behavior.
So the first request coming from the client is / and is does not provide any cookie, then in the response from F5 I receive the cookie for session d60b31cc all good, now the client send the next request to /my.policy with this MRH cookie which is still good. Then I see a subsequent request coming from the client again to /my.policy and results in this invalid nonce error.
yes i would think so. they may want to update to at least 14 though. we had some issues with the outlook client and ended up using the a canned irule "_sys_APM_MS_OFFICE_Support" but we have it go through APM