cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

SAML issue with SimpleSAMLphp as IdP, BIG-IP as SP

boneyard
MVP
MVP

have been trying to get SAML working, simpleSAMLphp as IdP and BIG-IP as SP. i believe it works up to the point where the IdP sends its auth succesfull data to the SP, once recieved by the SP i get this error: SAML Agent: /Common/saml_act_saml_auth_ag failed to parse assertion, error: Canonicalization of SignedInfo

 

not sure how to continue from there, so many options and so little information on their exact effect.

 

i built the setup as follows, virtual server with access profile with just start --> SAML auth --> Allow, BIGIP as SP profile with an IdP connection based on uri /, created IdP connection based on metadata from IdP. turned off as many signed and secure options as possible, just testing now, will add later on.

 

anyone here that has setup BIG-IP as SP succesfully with SimpleSAMLphp? can you share some experience?

 

7 REPLIES 7

boneyard
MVP
MVP
perhaps the combination is not that common, but is the general setup of a normal virtual server with a pool towards some webserver with an APM profile with SAML auth the acceptable setup for SAML? i expect to gain access after the IdP allows me and posts that to the virtual server i tried to access at first.

Christian_Baco1
Nimbostratus
Nimbostratus
Currently, i did successfully in setup BIG-IP as SP and also as IdP but some application you can't use connection base on uri / (example Exchange was /owa/ ..) .. Working well with SAML SP and IdP.

Christian_Baco1
Nimbostratus
Nimbostratus
Oups without SimpleSAMLphp. Sorry.

boneyard
MVP
MVP
where exactly can't you use that /uri then? you mean do SAML for only /uri and not / ?

Can you provide more configuration information? Without knowing more it is difficult to make a guess at an answer.

boneyard
MVP
MVP
thanks but i really wouldn't know what to provide configuration wise, i used the default, so configuration of the SP on the BIG-IP isn't much more then making up an ID, importing the meta data from the IdP and making a connection. support: "This message is seen when BIG-IP is configured as SAML service provider (SP) and it does not authenticate if SAML assertion and SAML response are both signed. Authentication will fail. This issue has already been identified as BZ 396735 which is fixed in Eng HF for v11.3 and in v11.4 HF3." F5 support believes i encountered a bug and advise to update to 11.4 SP3, planning to do that this week and will report back.

boneyard
MVP
MVP

the upgrade solved this issue.