metadata
8 TopicsAPM Create SAML Idp from META-data fails. MCP Error: 01070734:3
Hi, im running into a wierd problem. Im trying to import an external Idp connector from META-data. But im getting an error that i don't understand. I have tried to search in the forum and on the web for an answer but it seems like no one ever had this problem: "MCP Error: 01070734:3: Configuration error: apm aaa saml-idp-connector /Common/etj-ver : Signature verification failed. File contents changed" Anyone know what it means? Im guessing there is something wrong in the META-data but its quite hard to make anything out of this error message. The Idp have a wildcard certificate in it, could that be a problem for APM? Cheers // MattiasSolved1.3KViews0likes8CommentsExport SAML Metadata
Working on setting up APM (11.4.1) as a SAML service provider to an External IdP. Got the External IdP connector setup fine. Got the Local SP Service setup and bound to External IdP. In trying to Export the Metadata for the Local Service Provider in APM, I hit the Export Metadata option, and regardless if I Sign Metadata or not when I hit the Download button, I get nothing. No file download prompt in the browser or notice as to where the XML file may have been placed. How do I actually export the SP metadata so I can setup the F5 Relying Party in the IdP? The manual simply says "APM downloads an XML file". OK what does that mean? Thanks738Views0likes5CommentsPartial Updates to Metadata for GTM and LTM
I'd like to add metadata to WIPs without overwriting any existing data (or, if the same metadata exists, to update that). I connect to iControl REST with HTTP "PATCH" method and a JSON payload, and that works well enough, but the payload totally overwrites whatever already existed. Looking in the LTM audit log, I see: Jul 24 13:12:55 <snip/> notice icrd_child[17595]: 01420002:5:AUDIT- pid=17595 user=myUser folder=/Common module=(tmos)# status=[Command OK] cmd_data=modifyltmvirtual /Common/myPool-443 {metadata replace-all-with{ dummyMetadata { persist false value IgnoreMe } } } Is there an alternative to replace-all-with? If so, is there a different method or request I should use?Solved676Views0likes2CommentsLimit SP metadata SLO xml tag to POST or REDIRECT..
So.. I´ve setup a sp in apm. The sp is configred to use post binding. But we have an issue with adfs, as the metadata we export for the sp contain both post and redirect.. the clients use redirect..and both post and redirect are present as endpoints in adfs. Is it standard for the metadata to contain both or is that a piece of config we missed? At the moment we´ve manually removed the redirect part of the xml to solve it, but would be nice to know if it´s a configuration mistake or if its default behaviour.599Views1like3CommentsUsing SAML AssertionConsumerServiceIndex and AttributeConsumingServiceIndex
How do I get the F5 APM to send the AssertionConsumerServiceIndex in place of AssertionConsumerServiceURL in a SAML AuthnRequest? Also for the AttributeConsumingServiceIndex how do I get the F5 APM to put this in the AuthnRequest. I already have the relevant metadata definitions.536Views0likes5CommentsSearching and Filtering Objects by Metadata
I've been adding some metadata to the WIPs in our f5 GTMs, eg "metadata": [ { "name": "xxAppName", "persist": "true", "value": "Web Service" }, { "name": "xxAppOwner", "persist": "true", "value": "myGroup2" }, { "name": "xxAppSupport", "persist": "true", "value": "support_email@mydomain.com" }, { "name": "xxServiceName", "persist": "true", "value": "myService2" }, { "name": "xxWIPStatus", "persist": "true", "value": "active" } ], This is useful when I'm using Splunk or jq to parse the results, but what if I want to limit the scope of the returned data in the original request, analogous to a filter like "where xxAppSupport == support_email@mydomain.com?" Do any versions of iControl REST (and by extension, the SDK) support this? It'll be really useful when this effort extends to our LTMs. Thanks.519Views0likes2CommentsBig-ip as SAML IdP: automate metadata import
Hi, I'm looking into using our Big-IP as SAML IdP. It all seems straight forward, however I seem to be missing a key option: the regular import of SP Metadata. We currently use a Shibboleth IdP 3.x This IdP downloads on a regular basis the metadata of our federations. (Belnet, eduGAIN) These federations are large. There are many SP, SP change all the time. Obviously I don't want to create all the SP from the Medata by hand. Or even automate it by tmsh, this seems to be a bad idea. Is there any way to do this? I've seen the option Idp Automation, unfortunately it seems to be only for when you use the Big-IP as SAML SP. Thanks Vincent318Views0likes2CommentsAdding/Removing Metadata to GTM Pool: Will This Impact Traffic?
I haven't seen any evidence of this in practice or in documentation, but I'd feel a lot better with some corroboration from you lovely people in DevCentral. I'd like to execute the following PUT request against a GTM server running iControlREST v12 (for each pool): curl -sk "https://[f5_server]/mgmt/tm/gtm/pool/a/[pool_name]" -H 'Content-Type: application/json' --user "[user]":"[password]" -X PUT -d '{"metadata": [{"name": "AppName","persist": "true","value": "Test_Value1"},{"name": "ServiceName","persist":"false","value":"Test_Value2"},{"name": "AppOwner","persist":"false","value":"Test_Value3"},{"name": "AppSupport","persist":"false","value":"Test_Value4"}]}' So far, so simple, but I'd like to ensure that this doesn't invoke or trigger something dramatic like a config reload or crash the server. No visible cause for panic here, right? N.b. there is no metadata for these pools at present; I'm aware that this is a "write" and not an "update" command, but that's okay. Thanks!258Views0likes0Comments