27-Dec-2022 19:16
Hi
had a working setup.
login.test.com -> SAML IDP
Auth.test.com -> OAuth server + SAML SP - to get a OAuth token you needed a SAML ID
this worked well until I realised some of the redirects where actually posts and you needed a function javascript engine to process them !
I went about changing the ARS on the IDP to redirect with authentication and setup a ACS to talk to it
so login -> SAML IDP + SAML ARS (artifact server)
auth -> OAuth + SAML SP + SAML ACS (artifact comsumer service .. basically - my understanding it make an out of band call to login - so it doesn't go via the browser)
all working good except for the ACS -> ARS call. I can see the request making it to login, I have an irule to capture the post but the VS is terminating the link tcp rst.
No logging in APM or LTM logs I have debug turned on for access profile and SSO doesn't help.
Any one got it working ? Any one got any ideas on how to debug the next step
30-Dec-2022 15:29
Quick update - F5 tech support - nearly 5 days later - well its xmas. seems like I have run into a bug.
something about http vs https. want me to present the ARS via port 80 not port 443.
Tried it again nothing - the ARS kills the connection after recieveing it !
Still at a loss on how to debug or even verify that ARS is working properlu
31-Dec-2022 08:31
Hi,
When it comes to troubleshooting, I'd record a packet trace aftere we enabled the TCP Reset causes:
Hopefully, this should help (tell?) us why the ARS VS is reseting the connection.
31-Dec-2022 19:50 - edited 31-Dec-2022 21:26
That looks very useful, got this
No server selected
which is strange, working with F5 support team they reacon i have hit a bug - i had it attached to my https VS and had a ssl client profile. they suggested to create a new vs and add a pool. instead I attached my ars to my http VS. its almost like the VS doesn't recognise the call as a SAML.
THinking out loud - maybe because I don't have the APM profile attached to the http VS.
So setup a pool and reverse proxy it from the http to the https vs
I have done a tcpdump and I can see a rst - but nothing in the rst logs
interesting I can see the request making it to VS - i have a IRULE that captures the request and logs it !
I have tried using that post and hand crafting it with curl and sending it manually - again I can see the request coming in but noting back
04-Jan-2023 17:57
04-Jan-2023 17:58
yeah 😞
04-Jan-2023 18:00 - edited 04-Jan-2023 18:14
@AlexS_yb - what's your support case number? I'll try to follow up on this tomorrow.
Edit: got your PM, thanks. Will follow up.
12-Jan-2023 15:28
hey @AlexS_yb, any movement with support? I'm not sure I can help much here, but wanted to make sure I followed up. Keep us posted!
12-Jan-2023 17:03
Thanks for following up.
I'm told its with engineering - they can reproduce. I am now just waiting for a work around or patch !
Although its been a while