acs
4 TopicsGetting SAML working from APM to Guacamole
Hi All, I'm currently using an iRule to create a password for guacamole and using URL based login using a predetermined username and that password (which has been synchronised on the back-end to mysql). But now with Guacamole 1.2, they've included SAML support which I've been able to get working with onelogin.com, but not with F5 APM. I see a request from APM to Guacamole and then a response back from Guacamole and then these entries in the APM logs: Aug 21 09:56:05 f5-vpn notice tmm1[13465]: 014d1602:5: /Common/login.guacamole.rededucation.com.app/login.guacamole.rededucation.com:Common:b3c3ff31:SAML SSO: BIG-IP as IdP (/Common/login.guacamole.rededucation.com.app/login.guacamole.rededucation.com_login.guacamole.rededucation.com_saml_sso) sent SAML response (Assertion) (size: 8573) with status (urn:oasis:names:tc:SAML:2.0:status:Success) to SP (/Common/saml_guacamole) for subject type (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent) value (hn8cYnzVXUegJBO89ITyAA==) Aug 21 09:56:17 f5-vpn err tmm1[13465]: 014d1005:3: /Common/login.guacamole.rededucation.com.app/login.guacamole.rededucation.com:Common:b3c3ff31:SAML SSO: Error: No SP Connector attached to SAML SSO from assigned SAML resources matching authentication request. If ACS URL is present in authentication request it should match ACS URL from SP Connector. If Issuer is present in authentication request it should match entity_id from SP connector Aug 21 09:56:17 f5-vpn err tmm1[13465]: 014d1014:3: /Common/login.guacamole.rededucation.com.app/login.guacamole.rededucation.com:Common:b3c3ff31:SAML SSO: Error(16) Unable to find SAML SSO/SP Connector object matching SAML Authn Request Aug 21 09:56:17 f5-vpn err tmm1[13465]: 014d1011:3: /Common/login.guacamole.rededucation.com.app/login.guacamole.rededucation.com:Common:b3c3ff31:SAML SSO: Abort reason: Error in decompression callback Aug 21 09:56:24 f5-vpn notice tmm[13465]: 01490521:5: /Common/ap_labs.rededucation.com:Common:fda6f4c4: Session statistics - bytes in: 4962, bytes out: 4146 I'm wondering what these log messages mean? The SAML SSO/SP Connector that has a matching url in it, so I'm not sure why it's not able to be contacted when guacamole refers back to APM. Any help would be much appreciated! Cheers, Daniel Storey700Views0likes1CommentF5 as IDP & SAML Service Provider with multiple ACS Bindings
Version: 11.5.1 HF7 (LTM + APM) Anyone out there using F5 as IDP with a SAML service provider which contains multiple ACS bindings (please find snippet below)? After import of metadata, I can only find one ACS URI in bigip.conf, so I doubt this may be a feature which is currently not supported continue ... continue ... Highly appreciate any feedback on that topic Thx271Views0likes1CommentNeed to configure TACACS+ on LTM BIG-IP 11.4.1
Hi, I an configuring TACACS+ on LTM BIG-IP 11.4.1 using ACS 2.6. However it doesnt seem to work. PLease if someone can let me know if ACS2.6 is supported. Also id possible someone can guide how to configure On the ACS I have created a user group and I am using the custom attribute F5-LTM-User-Info-1=adm under the F% common Also on the F5 i have defined this string But this doesnt seem to work On the ACS I am getting the logs stating "Service not supported" Also on the F5 I am getting Authorization failure logs. Please if someone can guide If someone has successfully configured TACACS+ using ACS2.6 that would be superb if he could let me know the steps234Views0likes1CommentHelp! ACS, v11.6, variable substitution for multiple user roles in multiple partitions?
v11.6 allows multiple roles per account as long as they are assigned to different partitions. What is the recommended configuration for LTM v11.6 and ACS 5.2 to support variable substitution for complex RBAC assignments? For instance, UserA in AD who is a member of AD groups 'F5 Operator' and 'F5 Certs' can login and have manager access to PartitionA and Certificate Manager access to Common.208Views0likes0Comments