Forum Discussion

Cirrus's avatar
Cirrus
Icon for Cirrus rankCirrus
Mar 19, 2020
Solved

SAML SP ACS Post back resulting in a 404

Hello,

I have one application configured to use APM via SAML authentication, the SP & IdP are both running directly on our F5 - this setup is working for many applications only for this one i have problems with the SAML flow.

So only some web ressources from this app are protected, we used here an iRule in order to handle this, when i access one of the protected URIs i will be redirected to our IdP in order to get the authentication (KRB Ticket), this is still working i get a session for it (Allowed state) and see also the correct SP in the reference. But the bost pack from Idp to the SP to the ACS /saml/sp/profile/post/acs is resulting in a 404

Accessing protected web ressource 
-> www.app1.com/protected
No session right now so i will be redirected to Idp
-> idp.com/saml/idp/profile/redirectorpost/sso (Post; State 302)
Redirect back to SP
-> www.app1.com/saml/sp/profile/post/acs (Post; State 404)

Anybody an idea how to solve this or where i can start with the error search?

Thanks,

Christoph

  • Finally solved this topic with the help from F5 Support - thank you so much.

     

    The main issue is that not my whole web app is protected through APM as this would have serious performance impacts, therefore we have defined some protected sites. When hitting any of these URIs APM will be enabled, default is disabled.

     

    And in that code we forgot to also have /saml URI enpoint marked as protected site as this is the SAML SP endpoint after IdP Session was created. Now we come up with that iRule, which is working great for our purpose

     

    when HTTP_REQUEST {
     
           # Check the requested HTTP path
           switch -glob [string tolower [HTTP::path]] {
                  "/saml/*" -
                  "/en/confidential/*" -
                  "/de/confidential/*" -
                  "/confidential/*" {
                         # Enable APM for these paths
                         ACCESS::enable
                  }
                  default {
                         # Disable APM for all other paths
                         ACCESS::disable
                  }
           }
    }

     

4 Replies

  • When you do the redirect, does the user have a session? The user should present back a session ID in the cookie which ties up the first redirect with the response

  • So i'll get the IdP Session and after the redirect back to the SP also the session for the SP is starting. In my Access Profile the first element is the "Saml Auth" which is also generating the Session variable, but then it stops and the access profile is not finished and therefore the session on SP side will never finish

     

    In my opinion it's a problem from the webpage in the background, it's a TYPO3 CMS and I think that 404 page is delivery from that website, but i don't know how to workaround that or to avoid such things in the future

  • Finally solved this topic with the help from F5 Support - thank you so much.

     

    The main issue is that not my whole web app is protected through APM as this would have serious performance impacts, therefore we have defined some protected sites. When hitting any of these URIs APM will be enabled, default is disabled.

     

    And in that code we forgot to also have /saml URI enpoint marked as protected site as this is the SAML SP endpoint after IdP Session was created. Now we come up with that iRule, which is working great for our purpose

     

    when HTTP_REQUEST {
     
           # Check the requested HTTP path
           switch -glob [string tolower [HTTP::path]] {
                  "/saml/*" -
                  "/en/confidential/*" -
                  "/de/confidential/*" -
                  "/confidential/*" {
                         # Enable APM for these paths
                         ACCESS::enable
                  }
                  default {
                         # Disable APM for all other paths
                         ACCESS::disable
                  }
           }
    }