SAML SP ACS Post back resulting in a 404
Hello, I have one application configured to use APM via SAML authentication, the SP & IdP are both running directly on our F5 - this setup is working for many applications only for this one i have problems with the SAML flow. So only some web ressources from this app are protected, we used here an iRule in order to handle this, when i access one of the protected URIs i will be redirected to our IdP in order to get the authentication (KRB Ticket), this is still working i get a session for it (Allowed state) and see also the correct SP in the reference. But the bost pack from Idp to the SP to the ACS /saml/sp/profile/post/acs is resulting in a 404 Accessing protected web ressource -> www.app1.com/protected No session right now so i will be redirected to Idp -> idp.com/saml/idp/profile/redirectorpost/sso (Post; State 302) Redirect back to SP -> www.app1.com/saml/sp/profile/post/acs (Post; State 404) Anybody an idea how to solve this or where i can start with the error search? Thanks, ChristophSolved2.1KViews0likes4CommentsBIGIP IdP, SP, Webtop?
I have read documentation but I started to get confused with what I need. I am trying to build a webportal (webtop) on my edge to allow access to protected systems. The Webtop will present the BIGIP portal to authenticate and force MFA with DUO and create the assertions for the protected systems on the back side of BIGIP that are SAML based. What would be the configuratio required to accomplish this? Do I need to make BIGIP act as IdP, or SP or both? or Federate BIGIP portal? Is there any documentation?324Views0likes1CommentSAML Azure IdP and SSO between multiple VS
Hi, We are looking at a solution to setup SAML authentication with Azure IdP. We don’t have any problem to esablish the Federation and publish single App (for example app.corp.com). Basically we create a Federation and register app.corp.com as Enterprise App in Azure. Export & Import Metadata and everything works fine. However our issue is that we have a lot of applications to secure (~150 App). All these Apps are directly accessible from the browser. That means no need to login on a APM portal to get access. We are looking for a solution to avoid registering these 150 apps in Azure as specific applications. Do you know if there is a way to implement a SSO between all apps and only register one VS (for example auth.corp.com with Azure IdP)? That would clearly simplify the setup Tried this without success : https://devcentral.f5.com/s/articles/post-of-the-week-saml-idp-and-sp-on-one-big-ip-30680 If not possible via direct access do you think using APM portal could help on this? Thanks398Views0likes0CommentsF5 SAML IdP with Okta User Facing
Currently have F5 APM set up as a SAML IdP for ~10 SaaS providers. We also have an Okta environment set up with it's own SAML connections to other SaaS providers. We would like to start sending users 100% through Okta but do not want to migrate the current F5 IdP connections to Okta for reasons too long to describe here. Has anyone ever had users authenticate into Okta and at the same time be given access to all the SAML resources on the F5? If I made the F5 an SP for Okta, could I assign the existing F5 SAML resources and allow the user through? I don't believe this would work but am unable to think of other ways to achieve this. Any thoughts would be appreciated.681Views0likes3CommentsBigIP as both a SAML IdP and SP, correct APM SSO config options
We have setup the BigIP as both an IdP and and multiple SPs. Its really neat that the BigIP can provide both roles, however, the documentation seems to be lacking the proper setup for the SSO tab for each of the APM security policies that are configured on the IdP and SPs respectively. For example: IdP = https://auth.example.com/idp SP1 = https://mail.example.com/sp SP2 = https://confluence.example.com/sp For each these above we have a unique APM security profile and the scope for each is set to "Profile" not "Global". So the question is what do we select in the "SSO / Auth domains" tab for each of these APM profiles?, the options are: Domain Mode: single domain or multiple domain? Domain Cookie: blank or example.com or the fqdn of the resource the APM profile is protecting. Cookie options: we are selecting "Secure" check box SSO configuration: blank or should it be the SSO configuration that was automatically created when we created our IdP? Again, the documentation is not clear on what is correct for these settings and I hope a discussion of this will help those out there deploying this configuration!281Views0likes0CommentsAPM IdP - import a metadata file using tmsh
I have a APM solution set up as an IdP. I get sent metadata files when setting up an SP connector. This can be done via the F5 GUI but i want to know if you can also do this CIA the TMSH command line? Can you SCP the metadata xml to the APM then import there?220Views0likes1CommentiRule - Access to External IdP connectors
Hi, I have APM setup as a Service Provider with multiple IdP connectors. I was wondering if there is a way to get at the list of IdP connectors and the matching values I have setup in as part of an iRule? I'm trying to work out where someone is coming from, and the logic runs before it gets to the access policy and 'SAML Auth' part of the process. I was hoping to use the IdP external connectors instead of creating a datagroup that just duplicates what I already have. Cheers, Simon300Views0likes3CommentsSAML IDP-initiated without webtop
so i have 1 SP initiated SAML setup and working. i have another request to setup an IDP initiated SAML connection. i have get it to work successfully following the guide but after signing into the F5 the users have to click the link in the webtop. from research i know i should be able to send them directly to the correct SAML resource but i have not been able to figure it out. any help would be great? this is the guide i followed https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-saml-config-guide-11-3-0/2.htmlunique_882574450926Views0likes16CommentsAPM SP SAML with ADFS based on artifact binding
anyone got ADFS 2.0 with BIG-IP as SP based on artifact binding working? got it setup correctly i believe but i end with the error: SAML Response element outside ArtifactResponse and indeed the ArtifactResponse doesnt contain a Response at all, just a Status ...194Views0likes1Comment