cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Problems with BigIP/APM as Identity Provider for SAML2

Sam_D_
Nimbostratus
Nimbostratus

Problem One:

 

I've configured my BiIP/APM as Identity Provider for SAML SSO (SP-Inited SSO) integration with our partner(Service Provider). When the counterpart Service Provider POST (by default, the POST binding method is being used) AuthnRequest as SAMLRequest to our IdP https://www.mycompany.com/saml/idp/profile/redirectorpost/sso (this has started the APM evaluation process and this URL is now set as landingUrl on BigIP/APM), our BigIP/APM working as IdP correctly pops up login page for authentication. However, after successful authentication, the BigIP/APM has tried to GET to the remembered landingUrl instead of the original POST method, which has resulted in that our IdP failed to post SAMLResponse back to the AssertionConsumerService URL of SP although the user has already been successfully authenticated. 

 

Problem two:

 

In order to work around the above mentioned problem, I’ve coordinated with our counterpart to use REDIRECT binding method instead of POST. However, another new problem appeared. It seems that length of the URL for redirecting the AuthnRequest plays some tricks on BigIP/APM side while triggering APM evaluation process. We’ve narrowed down the test case to reproduce this issue, for instance, this curl command below will trigger the APM evaluation process on BigIP based on the fact that the BigIP has redirected to /my.polocy as well as MRHSession cookies

GET /saml/idp/profile/redirectorpost/sso?SAMLRequest=nVfJkqNIEr3rK9LUR1kVmxaQVZZZBDsCBEhCgssY%2ByI2sUtfPyizKiurZ6atpw%2BYFIHHC%2FfnzyOcb42TZ9UWdG1cGMGtC5r2Zcyzotm%2BvXidd3WxLZ0mabaFkwfNtvW2B6DIW%2Fwruq3qsi29Mpu%2FgKYJ6jYpC7osmi4P6kNQ94kXnAz5dR63bdVsESQoxr5q2mmLr9Pv16LcLpcE8twHaSpkAguTLECqsmkRx2vmL8xkmRTOE%2FYXiB%2F0P1a%2Fr0z8X0vrwE%2FqwGvL%2Bg2kacr5i8i8zv%2BFUR5FOit%2F7bnuyglxFN0QobP0KIrASTJcL9dL3yEm46bpArFoWqdoX%2Bc4imNf0OUXHD9iqy1BbonVVxTF7fkLV9Ze8MbZ6zx0siaYv2g%2FuIBJ4SdF9NfEue9GzVY4HrUv2v5wnL%2BYQd28RToZzL9%2Fewa3ffOn%2FpSQv4Z1fmZh%2Fv0vOf%2BGfEL%2F%2Fs1vtockmoju6uDHXn7zzviEMAzD14H4WtYRMvGGIiiFTDZ%2Bk0R%2FzD%2FWBr5YhOU%2FWEw7RVkknpMlj7dEK0Ebl%2F4LyKKyTto4%2Fx9IGIKhT6Qvweh98bBl8ccc%2BT2Qvwn0m0t143xpYgf7gWUEYVAHhRe8nAzxdf7H35XR2%2BJj7RRNWNZ58%2Fvw%2F%2FMoKPogK6vA%2F9L8DOyHc38f8L9w9f1b4G3Fwsu6JukD9SmkyvGC5kcCA%2B%2FvQ03CD8JklJNmqpixeXqHfHbvT8N3NpgkmhT5T1L0KT3vIKaTdcH3IrmKFmtf43EfRLWrF5bSWykmyJT3%2BubAZ%2BO3iY%2Fkvg9%2Fifh3Gb2vOHi7Cz56NSVSxI00ghWxUcAdtbANqxb12e3jNlDlVsOvuLyPz9YFMPI5rHYyt0%2BXqzwZlLsgeaV5laNTsRiDNPAUOkdsZyWVTLy8ohAC5WawSHmMJTIdWiUN1oK8kGS3uFQ5H3JS%2BLiqVEEgvaDaqwYYdrokKXNPsisx1c6Q4SsbVbB9wpMno8VrXyROZhepY6WuF3RSubI5EOy5Ol30sLwnmr4z6DErKuNy7X2pOYchqnq9IOIq1gk8BlG9u2Or6B6nl0RiRWa5TJgjMHilp7gF6xIadylJTIDrMjtiSzOOr7GjcrQSOWVV8o29Njt7gWQerKNIwfRVqO5O3OiMu2zU03ZBDvfl8Pr6Qf0nrp%2F074L7RyouK5RinNb5GNDPMy6czow2%2BK6IIjcyNA139wgMIgSRqISXhhKkBNPCfXrhaUQBKE8fbvxBdAlGZy HTTP/1.1

 

> User-Agent: curl/7.64.1

> Accept: */*

* HTTP 1.0, assume close after body

HTTP/1.0 302 Found

< Connection: Close

< Content-Length: 0

Location: /my.policy

< Set-Cookie: LastMRH_Session=0ae14ed7;path=/;secure;HttpOnly

< Set-Cookie: MRHSession=ae1b8222181863b1ab29623b0ae14ed7;path=/;secure;HttpOnly

< Set-Cookie: MRHSHint=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/;Secure

 

However, if I append just one single letter A in the above mentioned URL, BigIP will fail to trigger APM evaluation process

> GET /saml/idp/profile/redirectorpost/sso?SAMLRequest=nVfJkqNIEr3rK9LUR1kVmxaQVZZZBDsCBEhCgssY%2ByI2sUtfPyizKiurZ6atpw%2BYFIHHC%2FfnzyOcb42TZ9UWdG1cGMGtC5r2Zcyzotm%2BvXidd3WxLZ0mabaFkwfNtvW2B6DIW%2Fwruq3qsi29Mpu%2FgKYJ6jYpC7osmi4P6kNQ94kXnAz5dR63bdVsESQoxr5q2mmLr9Pv16LcLpcE8twHaSpkAguTLECqsmkRx2vmL8xkmRTOE%2FYXiB%2F0P1a%2Fr0z8X0vrwE%2FqwGvL%2Bg2kacr5i8i8zv%2BFUR5FOit%2F7bnuyglxFN0QobP0KIrASTJcL9dL3yEm46bpArFoWqdoX%2Bc4imNf0OUXHD9iqy1BbonVVxTF7fkLV9Ze8MbZ6zx0siaYv2g%2FuIBJ4SdF9NfEue9GzVY4HrUv2v5wnL%2BYQd28RToZzL9%2Fewa3ffOn%2FpSQv4Z1fmZh%2Fv0vOf%2BGfEL%2F%2Fs1vtockmoju6uDHXn7zzviEMAzD14H4WtYRMvGGIiiFTDZ%2Bk0R%2FzD%2FWBr5YhOU%2FWEw7RVkknpMlj7dEK0Ebl%2F4LyKKyTto4%2Fx9IGIKhT6Qvweh98bBl8ccc%2BT2Qvwn0m0t143xpYgf7gWUEYVAHhRe8nAzxdf7H35XR2%2BJj7RRNWNZ58%2Fvw%2F%2FMoKPogK6vA%2F9L8DOyHc38f8L9w9f1b4G3Fwsu6JukD9SmkyvGC5kcCA%2B%2FvQ03CD8JklJNmqpixeXqHfHbvT8N3NpgkmhT5T1L0KT3vIKaTdcH3IrmKFmtf43EfRLWrF5bSWykmyJT3%2BubAZ%2BO3iY%2Fkvg9%2Fifh3Gb2vOHi7Cz56NSVSxI00ghWxUcAdtbANqxb12e3jNlDlVsOvuLyPz9YFMPI5rHYyt0%2BXqzwZlLsgeaV5laNTsRiDNPAUOkdsZyWVTLy8ohAC5WawSHmMJTIdWiUN1oK8kGS3uFQ5H3JS%2BLiqVEEgvaDaqwYYdrokKXNPsisx1c6Q4SsbVbB9wpMno8VrXyROZhepY6WuF3RSubI5EOy5Ol30sLwnmr4z6DErKuNy7X2pOYchqnq9IOIq1gk8BlG9u2Or6B6nl0RiRWa5TJgjMHilp7gF6xIadylJTIDrMjtiSzOOr7GjcrQSOWVV8o29Njt7gWQerKNIwfRVqO5O3OiMu2zU03ZBDvfl8Pr6Qf0nrp%2F074L7RyouK5RinNb5GNDPMy6czow2%2BK6IIjcyNA139wgMIgSRqISXhhKkBNPCfXrhaUQBKE8fbvxBdAlGZyA HTTP/1.1

> Host: dev.vps.no

> User-Agent: curl/7.64.1

> Accept: */*

* LibreSSL SSL_read: SSL_ERROR_SYSCALL, errno 54

* Closing connection 0

curl: (56) LibreSSL SSL_read: SSL_ERROR_SYSCALL, errno 54

 

It will be great if we could get some feedbacks for these two issues from BigIP

 

4 REPLIES 4

For the second issue you may be having the bug in article https://support.f5.com/csp/article/K13423312 , so check /var/log/apm (maybe enable some debug logging to see more info https://support.f5.com/csp/article/K45423041 / https://support.f5.com/csp/article/K41437771😞

 

 

 

 

 

 

 

 

 

 

 

For the first issue maybe your artifact is not configured with POST and for F5 is normal to use POST for assertion and to switch to GET for the artifact.

 

%%%%%%%%%

 

Request method is changed to POST for assertion and to POST/GET for artifact based on the matched assertion consuming:

 

 

%%%%%%%%%

 

 

 

https://support.f5.com/csp/article/K06743491

 

 

 

 

 

 

 

 

 

You may try to manually set URL where the IdP can send an assertion to this service provider

 

 

&&&&&&&&&&&&&&&&&&&&&

 

  1. Click Add.A new row displays in the table.
  2. In the Index field, type the index number, zero (0) or greater.
  3. If this is the default service, select the Default check box. You must specify one of the services as the default.
  4. In the Location URL field, type the URL where the IdP can send an assertion to this service provider.APM supports HTTP-Artifact binding, POAS (HTTP reverse SOAP) binding, and HTTP-POST binding to this service.
  5. From the Binding list, select Artifact, PAOS, or POST.
  6. Click Update.

 

&&&&&&&&&&&&&&&&

 

 

 

https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-...

Sam_D_
Nimbostratus
Nimbostratus

  thanks for your detailed info! the bug https://support.f5.com/csp/article/K13423312 mentioned by you concerns the max length of post data, however, what I observed is related to the length of the REDIRECT AuthnRequest URL in the SP-Inited SSO scenario

Still check the APM and tmm logs if they have smothing as there are other bugs related to how big the SAML resource or metadata is :

 

https://cdn.f5.com/product/bugtracker/ID702263.html

 

 

And see what I mentioned about the first issue that the F5 can set artifact method as GET even when the assertion is POST.

Sam_D_
Nimbostratus
Nimbostratus

I've got confirmation from BigIP that the second issue is a bug related to APM https://cdn.f5.com/product/bugtracker/ID685593.html