Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

SAML artifact server - using redirect not post

AlexS_yb
Cirrocumulus
Cirrocumulus

Hi

had a working setup.

login.test.com -> SAML IDP

Auth.test.com -> OAuth server + SAML SP - to get a OAuth token you needed a SAML ID

this worked well until I realised some of the redirects where actually posts and you needed a function javascript engine to process them !

I went about changing the ARS on the IDP to redirect with authentication and setup a ACS to talk to it

so login -> SAML IDP + SAML ARS (artifact server)

auth -> OAuth + SAML SP + SAML ACS (artifact comsumer service .. basically - my understanding it make an out of band call to login - so it doesn't go via the browser)

all working good except for the ACS -> ARS call. I can see the request making it to login, I have an irule to capture the post but the VS is terminating the link tcp rst.

 

No logging in APM or LTM logs I have debug turned on for access profile and SSO doesn't help.

 

Any one got it working ? Any one got any ideas on how to debug the next step

 

 

 

8 REPLIES 8

AlexS_yb
Cirrocumulus
Cirrocumulus

Quick update - F5 tech support - nearly 5 days later - well its xmas. seems like I have run into a bug.

something about http vs https. want me to present the ARS via port 80 not port 443.

Tried it again nothing - the ARS kills the connection after recieveing it !

 

Still at a loss on how to debug or even verify that ARS is working properlu

Hi,

When it comes to troubleshooting, I'd record a packet trace aftere we enabled the TCP Reset causes:

  • tmsh modify sys db tm.rstcause.pkt value enable
    tmsh modify sys db tm.rstcause.log value enable

Hopefully, this should help (tell?) us why the ARS VS is reseting the connection.

That looks very useful, got this

No server selected

which is strange, working with F5 support team they reacon i have hit a bug - i had it attached to my https VS and had a ssl client profile. they suggested to create a new vs and add a pool. instead I attached my ars to my http VS. its almost like the VS doesn't recognise the call as a SAML. 

THinking out loud - maybe because I don't have the APM profile attached to the http VS.

So setup a pool and reverse proxy it from the http to the https vs

 

I have done a tcpdump and I can see a rst - but nothing in the rst logs

interesting I can see the request making it to VS - i have a IRULE that captures the request and logs it !

I have tried using that post and hand crafting it with curl and sending it manually - again I can see the request coming in but noting back

As you said, it's been the holidays. Just dropping a note to make sure @Scot_JC saw your follow-up. Are you still experiencing the issue then, @AlexS_yb?

yeah 😞

@AlexS_yb  - what's your support case number? I'll try to follow up on this tomorrow. 

Edit: got your PM, thanks. Will follow up. 

JRahm
Community Manager
Community Manager

hey @AlexS_yb, any movement with support? I'm not sure I can help much here, but wanted to make sure I followed up. Keep us posted!

Thanks for following up.

I'm told its with engineering - they can reproduce. I am now just waiting for a work around or patch !

Although its been a while