Keycloak as IDP for F5 APM via SAML
I have a requirement from our customer to do MFA authentication on F5 APM module and use Keycloak as Identity provider to control their access to web application. Since the keycloak is operate by different team, the internal operation team don’t have an authorize to do MFA on keycloak. They will use F5 APM to perform MFA instead. Existing environment. Solution Protect your web application by deploy F5 as web proxy. Configuration Import your SAML metadata to F5 APM Start by login to your keycloak console and downlond SAML metadata Make sure you have right realm selected. Save as you metadata Navigate to External IDP connector Create External IDP connector Upload your Metadata previously downloaded and name your SAML IDP connector Create your web.f5test.com certificate. Navigate to SSL Certificate list console Create your new certificate Configuration your parameter and click finish Create your Local SP Service Navigate to local SP service console Click create new SP service Input name, EntityID and SP name setting Config POST as assertion consumer service binding Configuration security setting with certificate generated earlier and click OK Binding your SP service with IDP connector Select your newly SP service created Add new row and select you IDP connector profile. Import your SP service to Keycloak Export your SP service Create new client on Keycloak Select file downloaded from previous section Click save
APM Access Guided Configuration with VIP in different partion
I am trying to use the Guided Configuration to create SAML Service Provider. However ths is can only be run from the Common partition whereas the VIP required has to be on a different parition for security reasons. I have tried to configure this manually but running in to problems and all online guides point to the guided configuration. Is there a way around this partition restriction while using the guided configuration? I am trying to deploy Big IP APM to perform SAML authentication through Azure. We have the Metadata file but would like to use the Guided configuration to complete the deploy.
Howto extract SAML NameID from AuthnRequest
Hi Gurus, I'm about to implement a SP-initiated SAML connection to our BigIP APM, set up as IdP, currently v15.1.2, eagerly awaiting some bug resolutions for the upgrade to 16.1. I want to suppress the "login name" prompt on the f5 and just to ask for the password by extracting the login name from the NameID value. IMHO, there's no need for the enduser to enter his name twice, first at the SP's and a second time at the APM login window. Any clues? Many thanks and best regards from Basel, Switzerland, HP.
Invalid Session ID. Your session may have expired - during kerberos auth
I have an IdP setup that is doing client side kerberos auth before then sending on a SAML token to an SP. I have an intermittant issue were sometimes using the kerberos auth It seems to fail and send me to a logout page with an error .../my.logout.php3?errorcode=20 Your session could not be established. The session reference number: 23f22713 Invalid Session ID. Your session may have expired. In the logs I can see: Session deleted (security_check). Sometimes the Kerberos is ok and sometimes not, any ideas where to look for the cause of this? Thanks
SAML: F5 as SP, Azure as IdP Problems with SLO
We use the F5 as SAML SP and Azure as SAML IdP. The SSO part runs well only the SLO makes problems. When i use the ResponseLocation url (/saml/sp/profile/redirect/slr) from the metadata XML for the "Logout Url" (in Azure) the SP initiated SLO (Logout Button on the Webtop) works but the IdP initiated SLO (logout in Azure) will not end the F5 session, the apm log showsSLO Request is received on SLO Response URL Looking in more detail in the assertion we can see that the Azure brings on a SP SLO "<samlp:LogoutResponse...." and on a IdP SLO "<samlp:LogoutRequest" so F5 should be able to find the correct "Option" but is only looking on the url but Azure gives no way to enter a second url. When i use theLocation url (/saml/sp/profile/redirect/sls) in Azureit is the other way around. In Azure the Help Text suggests using the response url. The SAML rfcis also not very helpful,it "only" describes the content. Tests with the "new" iRule events ACCESS_SAML_.... do not bring any new insights either, theACCESS_SAML_SLO_REQ andACCESS_SAML_SLO_RESP looking like that they are fired via the uri and not the Option in the Assertion. Is there a way to decode (an deflate) the assertion in a iRule to read the SLO option and to set the F5 expected uri or any other ideahow we can solve the problem?
SAML Cookie Persistence after browser/system restart and across service providers
I am fairly new to the F5 world and in the beginning of setting up our LTM's as SAML IdP's for a variety of services. Our first use-case is Jive, which we have working and all the attributes are pulling across just fine, authentication is fine, everything is functional as is. I'm having a hard time translating what we want the user experience to be into the next phase of the configuration. Our hope was that we could authenticate a user to the LTM, they would be provided a cookie that was set to expire in 24 hours, that cookie would provide SSO access to other services that we'll be adding, and once the 24 hours is up the user would be asked to authenticate again regardless of which service they are logging in to. I've set the Maximum Session Timeout to 86400 seconds (24 hours) and set the cookie to persistent, but when I log in with a test account I don't see a new cookie created on the user system and closing the browser loses the session. In addition, I don't have another sandbox service provider to test with currently to ensure that the cookie we are hoping will be creating would be valid for that other service as well. Am I wrong in thinking that the F5 can provide a persistent cookie that survives beyond browser or systems restarts? Can the F5 only provide SSO for that time period and across SAML partners as long as that browser session is open? I presume I'm asking some pretty elementary stuff so forgive my lack of current knowledge. Any pointers on where I can read up on that or help managing my expectations would be appreciated.Encryption error - SAML assertion: response is not encrypted
We are trying to configure out APM with Azure SAML authentication. After login on and succedded we can an error and the logs show the following: modules/Authentication/Saml/SamlSPAgent.cpp: 'verifyAssertionSignature()': 5374: Verification of SAML signature #2 succeeded ----------------------- SAML2Websak_act_saml_auth_ag failed to parse assertion, error: Response is not encrypted ...................... a6559abf: Following rule 'fallback' from item 'SAML Auth' to ending 'Deny' As a result the login is Denied. Is this related to the certificate or RSA encryption? We have tried various options but it comes back to the same error
