Forum Discussion

AlexS_yb's avatar
AlexS_yb
Icon for Cirrocumulus rankCirrocumulus
Dec 28, 2022

SAML artifact server - using redirect not post

Hi

had a working setup.

login.test.com -> SAML IDP

Auth.test.com -> OAuth server + SAML SP - to get a OAuth token you needed a SAML ID

this worked well until I realised some of the redirects where actually posts and you needed a function javascript engine to process them !

I went about changing the ARS on the IDP to redirect with authentication and setup a ACS to talk to it

so login -> SAML IDP + SAML ARS (artifact server)

auth -> OAuth + SAML SP + SAML ACS (artifact comsumer service .. basically - my understanding it make an out of band call to login - so it doesn't go via the browser)

all working good except for the ACS -> ARS call. I can see the request making it to login, I have an irule to capture the post but the VS is terminating the link tcp rst.

 

No logging in APM or LTM logs I have debug turned on for access profile and SSO doesn't help.

 

Any one got it working ? Any one got any ideas on how to debug the next step

 

 

 

8 Replies

  • Quick update - F5 tech support - nearly 5 days later - well its xmas. seems like I have run into a bug.

    something about http vs https. want me to present the ARS via port 80 not port 443.

    Tried it again nothing - the ARS kills the connection after recieveing it !

     

    Still at a loss on how to debug or even verify that ARS is working properlu

    • Scot_JC's avatar
      Scot_JC
      Icon for Employee rankEmployee

      Hi,

      When it comes to troubleshooting, I'd record a packet trace aftere we enabled the TCP Reset causes:

      • tmsh modify sys db tm.rstcause.pkt value enable
        tmsh modify sys db tm.rstcause.log value enable

      Hopefully, this should help (tell?) us why the ARS VS is reseting the connection.

      • AlexS_yb's avatar
        AlexS_yb
        Icon for Cirrocumulus rankCirrocumulus

        That looks very useful, got this

        No server selected

        which is strange, working with F5 support team they reacon i have hit a bug - i had it attached to my https VS and had a ssl client profile. they suggested to create a new vs and add a pool. instead I attached my ars to my http VS. its almost like the VS doesn't recognise the call as a SAML. 

        THinking out loud - maybe because I don't have the APM profile attached to the http VS.

        So setup a pool and reverse proxy it from the http to the https vs

         

        I have done a tcpdump and I can see a rst - but nothing in the rst logs

        interesting I can see the request making it to VS - i have a IRULE that captures the request and logs it !

        I have tried using that post and hand crafting it with curl and sending it manually - again I can see the request coming in but noting back