had a working setup.
login.test.com -> SAML IDP
Auth.test.com -> OAuth server + SAML SP - to get a OAuth token you needed a SAML ID
I went about changing the ARS on the IDP to redirect with authentication and setup a ACS to talk to it
so login -> SAML IDP + SAML ARS (artifact server)
auth -> OAuth + SAML SP + SAML ACS (artifact comsumer service .. basically - my understanding it make an out of band call to login - so it doesn't go via the browser)
all working good except for the ACS -> ARS call. I can see the request making it to login, I have an irule to capture the post but the VS is terminating the link tcp rst.
No logging in APM or LTM logs I have debug turned on for access profile and SSO doesn't help.
Any one got it working ? Any one got any ideas on how to debug the next step
Quick update - F5 tech support - nearly 5 days later - well its xmas. seems like I have run into a bug.
something about http vs https. want me to present the ARS via port 80 not port 443.
Tried it again nothing - the ARS kills the connection after recieveing it !
Still at a loss on how to debug or even verify that ARS is working properlu
When it comes to troubleshooting, I'd record a packet trace aftere we enabled the TCP Reset causes:
Hopefully, this should help (tell?) us why the ARS VS is reseting the connection.
That looks very useful, got this
No server selected
which is strange, working with F5 support team they reacon i have hit a bug - i had it attached to my https VS and had a ssl client profile. they suggested to create a new vs and add a pool. instead I attached my ars to my http VS. its almost like the VS doesn't recognise the call as a SAML.
THinking out loud - maybe because I don't have the APM profile attached to the http VS.
So setup a pool and reverse proxy it from the http to the https vs
I have done a tcpdump and I can see a rst - but nothing in the rst logs
interesting I can see the request making it to VS - i have a IRULE that captures the request and logs it !
I have tried using that post and hand crafting it with curl and sending it manually - again I can see the request coming in but noting back