- last edited on by
JimmyPackets
Dear all,
I am wondering if someone has already successfully integrated mobile apps with F5 SP/IDP setup where SAML authentication is being used to the F5 login page.
Everything works just fine on laptops with Chrome browsers, however when we use mobile phones in this case Android with Chrome browser and applications published by Airwatch on the mobile phone we receive "invalid nonce" errors when connecting to the F5. The published applications actually open a Chrome browser tab when establishing a connection to F5 SP/IDP.
Now I installed a Fiddler proxy on my laptop to investigate and decrypt the traffic from the mobile phone and the Mobile phone is sending a request to /my policy and is providing the correct MRH cookie of the session, but F5 is responding with error page no nonce (hope you can see the image below) and the response we see that F5 is redirecting to /my.logout.php3?errorcode=21
I believe the most closely bug match is and we see the same behavior with mobile phones only. We currently use 13.1.
https://cdn.f5.com/product/bugtracker/ID738148.html
https://support.f5.com/csp/article/K91172311
On the F5 LTM logs I enabled request logging and we can confirm the same, this is actually a sharepoint webserver hosted behind the F5 and we do pre SAML authentication to F5 IDP, so it acts as both SP with external IDP connector. Anyway this works seamless with desktops and Chrome browsers, but there seem to be compatibility issues between F5 SP/IDP SAML and mobile phones.
Line 113718: Oct 7 22:23:22 BEVMPSYSCAD11 info tmm[18851]: Rule /Systems/IR-troubleshooting <HTTP_REQUEST>: Client: 198.143.43.22063786 request URL is GET myf5website/my.policy and accessed Virtual Server Name /Systems/PRD_AD-BE_AUTH_PORTAL-Lvl1-HR4U_Back-End with MRHsession 79d9042576ee294006bb177fd60b31cc and load balanced to /Systems/PRD_Sharepoint_443 0
Line 113720: Oct 7 22:23:23 BEVMPSYSCAD11 info tmm[18851]: Rule /Systems/IR-troubleshooting <HTTP_REQUEST>: Client: 198.143.43.22063790 request URL is GET myf5website/my.policy and accessed Virtual Server Name /Systems/PRD_AD-BE_AUTH_PORTAL-Lvl1-HR4U_Back-End with MRHsession 79d9042576ee294006bb177fd60b31cc and load balanced to /Systems/PRD_Sharepoint_443 0
Line 113721: Oct 7 22:23:23 BEVMPSYSCAD11 info tmm[18851]: Rule /Systems/IR-troubleshooting <HTTP_REQUEST>: Client: 198.143.43.22063784 request URL is GET myf5website/my.logout.php3?errorcode=21 and accessed Virtual Server Name /Systems/PRD_AD-BE_AUTH_PORTAL-Lvl1-HR4U_Back-End with MRHsession 79d9042576ee294006bb177fd60b31cc and load balanced to /Systems/PRD_Sharepoint_443 0So the above F5 article states the following when this occurs:
This message occurs when the following condition is met:
A client logging in to a BIG-IP APM resource provides an invalid value (cryptographic nonce) when attempting to establish the session.
Note: A cryptographic nonce (number used once) is a random or pseudo-random number that is used in authentication protocols, such as HTTP digest authentication. Generated nonce values should be sufficiently random to ensure they are not repeated in order to prevent replay attacks and session hijacking. The Invalid Nonce message indicates that a cryptographic value that the client provided to the BIG-IP APM system is not valid.
So hope anyone here got the same issues because there is not a solution for this known "bug" yet and I would like to find out what is happening here.
Thanks,
Marvin
