APM with EntraID as idP / request signed
Hi experts. I need your help to solve an issue. I'm configuring a new enviroment with BIG-IP version 15.1.8.2 Build 0.0.17 Point Release 2. I have the APM works fine with SSO using EntraID (AzureAD) as idP. Now, I need to enable the request signed (Enforce signed SAML authentication requests - Microsoft Entra ID | Microsoft Learn). I generated the self signed certificate and import it on my app at Azure and my BIG-IP. I changed my config in Access > Federation > SAML Identity Provider and assigned my self signed certificate (pk included) to assign the request. But, I've received the below error by EntraID: Sign-in error code: 76021 Failure reason: The request sent by client is not signed while the application requires signed requests All attemps was made by browser (SSL VPN). Thank you.
F5 APM - limiting access to the bandwidth for network Access
I am looking for a way of restricting access to the available bandwidth for our SSL VPN users. I see within the 'Network Access' configuration (Network Settings) there is an option to set 'Client Interface Speed' in bits per second. I have attempted to find more information on this without much luck. The only references I can find are below: 'Specifies the maximum speed of the client interface connection, in bits per second.' 'Specifies the speed of the client interface connection, in bits per second.' Can anyone provide further insight to this particular setting? I want to confirm/understand: (1) if this is actually a bandwidth restriction or whether it is just an administrative setting (though the above suggests a restriction) (2) if it is a bandwidth restriction, does this perform Traffic Policing or shaping? (3) is the setting per client connection, or all connections using that particular 'network access' Thanks
<apm_do_not_touch> in JS file failing</apm_do_not_touch>
So we have an application that uses the @cc_on statement within a javascript file, and the APM is trying to rewrite it. Problem is (as stated in SOL3910) that the rewrite breaks the code because it doesn't rewrite properly. According the the SOL3910, adding the tag around an HTML element works to tell APM to ignore rewriting this section. The problem is that this fix doesn't (fully) work in JS files because the tag is an html tag. While adding the tag around the section will work to keep APM from rewriting the code, because it's in a JS file, the syntax is invalid and causes other JS errors. I've tried embedding the tag in a comment (many different ways) but it doesn't work, and APM will continue to rewrite the code. I doubt there's a javscript statement we can use to do the same thing here and cause APM to ignore rewriting it, but wanted to see if anyone else had a similar issue before or ideas on resolution.
OAuth token synchronization in APM HA pair
Hello. I have an HA pair of APMs, acting as a OAuth authorization server. By default, devices in HA should synchronized OAuth tokens from Active to Standby. But I don't see issued tokens on Standby device. The statemirror.mirrorsession system database variable set in "enabled". :Active:In Sync] ~ # tmsh show apm oauth token-details db-instance <db_name> total-tokens: 7258 :Standby:In Sync] ~ # tmsh show apm oauth token-details db-instance <db_name> total-tokens: 0 No synchronization errors (Failed to initiate DB synchronization (ERR_DB)) in logs. How can I check, that token synchronization is successful and issued OAuth tokens existing on both device in cluster?DTLS support for Citrix Receiver 4.7? (Adaptive Transport, EDT)
Will there be DTLS support for Citrix new "Adaptive Transport" or "Enlightened Data Transport (EDT)" which is based on UDP in APM? This is a new feature since version 4.7 of Citrix Receiver, and version 7.13 of XenDesktop/XenApp. I would definitely want it to be supported asap...Icall script argument
Hello! How I can translate to icall script argument from APM via iRule? Example. I want generate user certificate SSL via APM. I wrote bash script, but it should be called with two argument - UserName and UserDomain. Thank you! sys icall script gcc_script { app-service none definition { exec /home/root/scripts/certificates.sh $UserDN $DomainDN exec istats remove "GCC generate for UserDN" } description none events none }
