SOLVED: sending IsCompliant, IsKnown and IsManaged via SAML (SSO)
Background We have an EntraID (Azure/Microsoft365) SAML based VPN using the APM module and were keen to provide a different device pool to domain devices, rather than personal devices (BYOD). We noted that, in the EntraID logs, it included elements such as whether the device IsCompliant, IsKnown and/or IsManaged: Wrong step first We followed part of the exceptionally good video from Matthieu Dierick (https://www.youtube.com/watch?v=DBA84d4VJU8) in which he explains how to configure InTune to make the IsCompliant assertion and push a certificate onto the device to identify it.. and then the BIG-IP Edge client will send that certificate back to be used via an API call against InTune (even if EntraID isn't used for your APM authentication). To get the API bit to function we needed to follow the guidance in https://my.f5.com/manage/s/article/K00943512 But we aren't that far down the route with InTune and, without pushing that certificate, we got the error "Device ID was not found in session variables" (as explained in https://my.f5.com/manage/s/article/K93969130 ) To get working: Azure steps It seems exporting these variables isn't natively available through the GUI although there were some pointers available from Azure AD - SAML - Intune - ismanaged attribute - Microsoft Q&A In short, Navigate to: https://portal.azure.com/ Microsoft EntraID Under Manage > App registrations (this will default to "owned application") choose "all applications" tab Filter by the name of your SAML configuration Manage > Manifest Take a copy of the manifest incase you want to revert (note that it won't let you save it unless it can parse the input) Find the section "optional claims" and inject the following after any groups you pass back: "optionalClaims": { "accessToken": [], "idToken": [], "saml2Token": [ { "additionalProperties": [ "on_premise_security_identifier" ], "essential": false, "name": "groups", "source": null }, { "additionalProperties": [ ], "essential": true, "name": "is_device_managed", "source": null }, { "additionalProperties": [ ], "essential": true, "name": "is_device_compliant", "source": null }, { "additionalProperties": [ ], "essential": true, "name": "is_device_known", "source": null } ] }, To get working: APM steps In the visual policy editor you can now assign variables to those claims of the form: session.logon.last.isknown = mcget {session.saml.last.attr.name.http://schemas.microsoft.com/201 4/02/devicecontext/claims/isknown} session.logon.last.iscompliant = mcget {session.saml.last.attr.name.http://schemas.microsoft.com/201 4/09/devicecontext/claims/iscompliant} session.logon.last.ismanaged = mcget {session.saml.last.attr.name.http://schemas.microsoft.com/201 2/01/devicecontext/claims/ismanaged} So you can end up with a variable assignment box that looks like: (just be careful with copy/paste that it doesn't introduce spaces in the session variables) Then you can do a new general purpose > empty box with a branch rule evaluating: expr {[mcget {session.logon.last.ismanaged}] == "true"} Optionally you can record the output of these variables by adding a logging box with the entry: username=%{session.logon.last.username}, ismanaged=%{session.logon.last.ismanaged}, iscompliant=%{session.logon.last.iscompliant}, isknown=%{session.logon.last.isknown}
Iphone error using APM SAML
Greeting all, I’ve federated with Office 365, I used an iApp () to accomplish it. It works as expected for internal and external clients, except for iPhones (current version of iOS). The iApp was modified to allow for Kerberos SSO internally. Externally it uses HTTP basic. I opened a case with F5 support and we did some packet captures to see what the clients were posting to the SAML IdP. With an Android, the pcap looks like this: The above pcap includes an Authorization header. The iPhone request is different, and does not include that header: According to F5 Support, since the Authorization Header is missing from the POST on the iphone, the APM throws a redirect and the client barfs on that. The fallout of that is that client displays an invalid nonce error like this: F5 Support believes this is a bug in the iOS, I guess that wouldn’t be the first time! Has anyone come across this issue using the APM as an IdP for Office 365 as the SP and iPhone clients? Thanks for any suggestions you have. Cheers, Mike
APM SAML SLO reset
I have an APM IdP bound to an external SP. When a user logs out off the SP Application, SLO kicks in and the user is directed to https://myidp.com/saml/idp/profile/post/sls. The APM session is removed but this page results in an error connection reset and the user is left on the "Thi Sit can't be reached) page Any Idea?Limit SP metadata SLO xml tag to POST or REDIRECT..
So.. I´ve setup a sp in apm. The sp is configred to use post binding. But we have an issue with adfs, as the metadata we export for the sp contain both post and redirect.. the clients use redirect..and both post and redirect are present as endpoints in adfs. Is it standard for the metadata to contain both or is that a piece of config we missed? At the moment we´ve manually removed the redirect part of the xml to solve it, but would be nice to know if it´s a configuration mistake or if its default behaviour.
SAML: F5 as SP, Azure as IdP Problems with SLO
We use the F5 as SAML SP and Azure as SAML IdP. The SSO part runs well only the SLO makes problems. When i use the ResponseLocation url (/saml/sp/profile/redirect/slr) from the metadata XML for the "Logout Url" (in Azure) the SP initiated SLO (Logout Button on the Webtop) works but the IdP initiated SLO (logout in Azure) will not end the F5 session, the apm log shows SLO Request is received on SLO Response URL Looking in more detail in the assertion we can see that the Azure brings on a SP SLO "<samlp:LogoutResponse...." and on a IdP SLO "<samlp:LogoutRequest" so F5 should be able to find the correct "Option" but is only looking on the url but Azure gives no way to enter a second url. When i use the Location url (/saml/sp/profile/redirect/sls) in Azure it is the other way around. In Azure the Help Text suggests using the response url. The SAML rfc is also not very helpful, it "only" describes the content. Tests with the "new" iRule events ACCESS_SAML_.... do not bring any new insights either, the ACCESS_SAML_SLO_REQ and ACCESS_SAML_SLO_RESP looking like that they are fired via the uri and not the Option in the Assertion. Is there a way to decode (an deflate) the assertion in a iRule to read the SLO option and to set the F5 expected uri or any other idea how we can solve the problem?APM with External IDP (SAML) unexpected disconnection
Hi, As a lot of people right now, we are deploying VPN profiles in emergency. For a specific scenario, we use an External IDP (SAML SSO) to connect the users, which works fine. However, we get disconnected after a few minutes (sometimes seconds). We did some testing : the issue doesn't seems to happens when we switch to RADIUS or local auth, and SEEMS to be linked with the Maximum Sessions per user parameter. We had this parameter configured to 1 session max per user, and we were disconnected a LOT, even if only one session was running. We switched the parameter to 2, which kind of improved the situation but we were still disconnected time to time. When the parameter was configured on 2, and only my test laptop was connected (I verified in the logs, only one session existed at this time), I tried to launch F5 Access from my smartphone, which should have been OK since we allow 2 sessions per user. However, my laptop was directly disconnected. Now, we disabled the Max session per user and everything is working great. Any idea what could have happened? Why would it only happened with the SAML auth (External IDP) and not with RADIUS or local auth? Thank you in advance
SAML multiple auth context support
Hi everybody, I would like to know if there is or it planned to support multiple auth context as IDP. Now it seems that APM only support one auth context (by default PasswordProtectedTransport). The use case here is a SP where it is required priviledge scalation. For example the SP by default requires username and password authentication but if the user access /admin the it request certificate authentication. This should be doable if APM fully supported SAML 2.0. By using forceauth (which it is actually ignored by APM) and taking in to account the context auth list provided in the authrequest coming from the SP somehow in the VPE we should be able to authenticate users accordingly. My tests say that this is not supported/implemented in 13.0 but... it is planned to expand SAML functionalities as IDP. Thanks in advance!
Citrix access using SAML
Is it possible to perfom SSO into CItrix when AZURE SAML to authenitcate to the F5. All the docs, guides or bits and pieces I have found that reference passwordless envolves using smartcard. I have seen some references pointing to an additional SAML connection to the storefront but everything I have found seems to be pretty vague. Any tips, guidance, references would be gratly appreciated.
SAML Redirection Not Working
Hello, I'm attempting to setup a SAML configuration where KnowBe4 is the SP and our APM's are the IDP. I have read: https://clouddocs.f5.com/products/agc/5.0/saml-saas-applications/knowbe4.html I followed it the best I could (it's pretty generic), but it's not working. Let me explain what I'm seeing… The APM presents the login form fine, and I'm able to properly authenticate against the domain. Where I think the problem is coming in is when the IDP *should* be redirecting the user back to the SP. What I see when I follow the requests is: User submits form, the form is submitted to the page my.policy on the APM The APM then redirects the browser to /idp?SAMLRequest=<the encoded request packet> This is where things stop, the redirect from step 2 times out When I watch another, working SAML application I see that after step 2 the browser is redirected to a URL starting with "/saml/idp/profile/redirectorpost/sso?SAMLRequest=". That page redirects the browser back to the SP. Has anybody seen something like this before? Am I right in thinking that the URL that the form submission redirects to is incorrect in the KnowBe4 version of the configuration? If so, what magic incantation do I use to fix it? I used the Guided Configuration to setup to SSO application, and I used the KnowBe4 application optionHow to configure PeopleSoft to use SAML with F5 APM and ADFS
Hi Team, We have a client using PeopleSoft 8.5.7 and it required SAML authentication. We have utilised F5 APM as a service provider and ADFS servers as a SP connector. The question is what parameter F5 APM sending to the People Soft in order to authenticate with ADFS servers? what configuration need on People Soft? You help would be highly appreciated. Cheers, Parham
