APM SAML SLO reset
I have an APM IdP bound to an external SP. When a user logs out off the SP Application, SLO kicks in and the user is directed to https://myidp.com/saml/idp/profile/post/sls. The APM session is removed but this page results in an error connection reset and the user is left on the "Thi Sit can't be reached) page Any Idea?
Limit SP metadata SLO xml tag to POST or REDIRECT..
So.. I´ve setup a sp in apm. The sp is configred to use post binding. But we have an issue with adfs, as the metadata we export for the sp contain both post and redirect.. the clients use redirect..and both post and redirect are present as endpoints in adfs. Is it standard for the metadata to contain both or is that a piece of config we missed? At the moment we´ve manually removed the redirect part of the xml to solve it, but would be nice to know if it´s a configuration mistake or if its default behaviour.
SAML: F5 as SP, Azure as IdP Problems with SLO
We use the F5 as SAML SP and Azure as SAML IdP. The SSO part runs well only the SLO makes problems. When i use the ResponseLocation url (/saml/sp/profile/redirect/slr) from the metadata XML for the "Logout Url" (in Azure) the SP initiated SLO (Logout Button on the Webtop) works but the IdP initiated SLO (logout in Azure) will not end the F5 session, the apm log showsSLO Request is received on SLO Response URL Looking in more detail in the assertion we can see that the Azure brings on a SP SLO "<samlp:LogoutResponse...." and on a IdP SLO "<samlp:LogoutRequest" so F5 should be able to find the correct "Option" but is only looking on the url but Azure gives no way to enter a second url. When i use theLocation url (/saml/sp/profile/redirect/sls) in Azureit is the other way around. In Azure the Help Text suggests using the response url. The SAML rfcis also not very helpful,it "only" describes the content. Tests with the "new" iRule events ACCESS_SAML_.... do not bring any new insights either, theACCESS_SAML_SLO_REQ andACCESS_SAML_SLO_RESP looking like that they are fired via the uri and not the Option in the Assertion. Is there a way to decode (an deflate) the assertion in a iRule to read the SLO option and to set the F5 expected uri or any other ideahow we can solve the problem?APM with External IDP (SAML) unexpected disconnection
Hi, As a lot of people right now, we are deploying VPN profiles in emergency. For a specific scenario, we use an External IDP (SAML SSO) to connect the users, which works fine. However, we get disconnected after a few minutes (sometimes seconds). We did some testing : the issue doesn't seems to happens when we switch to RADIUS or local auth, and SEEMS to be linked with the Maximum Sessions per user parameter. We had this parameter configured to 1 session max per user, and we were disconnected a LOT, even if only one session was running. We switched the parameter to 2, which kind of improved the situation but we were still disconnected time to time. When the parameter was configured on 2, and only my test laptop was connected (I verified in the logs, only one session existed at this time), I tried to launch F5 Access from my smartphone, which should have been OK since we allow 2 sessions per user. However, my laptop was directly disconnected. Now, we disabled the Max session per user and everything is working great. Any idea what could have happened? Why would it only happened with the SAML auth (External IDP) and not with RADIUS or local auth? Thank you in advance
SAML multiple auth context support
Hi everybody, I would like to know if there is or it planned to support multiple auth context as IDP. Now it seems that APM only support one auth context (by default PasswordProtectedTransport). The use case here is a SP where it is required priviledge scalation. For example the SP by default requires username and password authentication but if the user access /admin the it request certificate authentication. This should be doable if APM fully supported SAML 2.0. By using forceauth (which it is actually ignored by APM) and taking in to account the context auth list provided in the authrequest coming from the SP somehow in the VPE we should be able to authenticate users accordingly. My tests say that this is not supported/implemented in 13.0 but... it is planned to expand SAML functionalities as IDP. Thanks in advance!
Citrix access using SAML
Is it possible to perfom SSO into CItrix when AZURE SAML to authenitcate to the F5. All the docs, guides or bits and pieces I have found that reference passwordless envolves using smartcard. I have seen some references pointing to an additional SAML connection to the storefront but everything I have found seems to be pretty vague. Any tips, guidance, references would be gratly appreciated.
SAML Redirection Not Working
Hello, I'm attempting to setup a SAML configuration where KnowBe4 is the SP and our APM's are the IDP.I have read: https://clouddocs.f5.com/products/agc/5.0/saml-saas-applications/knowbe4.html I followed it the best I could (it's pretty generic), but it's not working.Let me explain what I'm seeing… The APM presents the login form fine, and I'm able to properly authenticate against the domain.Where I think the problem is coming in is when the IDP *should* be redirecting the user back to the SP.What I see when I follow the requests is: User submits form, the form is submitted to the page my.policy on the APM The APM then redirects the browser to /idp?SAMLRequest=<the encoded request packet> This is where things stop, the redirect from step 2 times out When I watch another, working SAML application I see that after step 2 the browser is redirected to a URL starting with "/saml/idp/profile/redirectorpost/sso?SAMLRequest=".That page redirects the browser back to the SP. Has anybody seen something like this before?Am I right in thinking that the URL that the form submission redirects to is incorrect in the KnowBe4 version of the configuration?If so, what magic incantation do I use to fix it? I used the Guided Configuration to setup to SSO application, and I used the KnowBe4 application optionHow to configure PeopleSoft to use SAML with F5 APM and ADFS
Hi Team, We have a client using PeopleSoft 8.5.7 and it required SAML authentication. We have utilised F5 APM as a service provider and ADFS servers as a SP connector. The question is what parameter F5 APM sending to the People Soft in order to authenticate with ADFS servers? what configuration need on People Soft? You help would be highly appreciated. Cheers, Parham
F5 IDP - ASP.NET SAML SSO example
Looking to add F5 IDP (APM) to our product SSO providers. We already connect to Azure AD (https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-aspnet-webapp), Okta (https://github.com/okta/samples-aspnetcore/tree/master/samples-aspnetcore-2x/self-hosted-login) and others using owin. There is an asp.net sdk or guide we can follow? Thanks!
