Forum Discussion
Thanks again Evan,
I have double-checked the advanced assignment step within the IdP policy and application specific SAML resources are definitely being assigned. However APM still insists that a "Webtop configuration is required" and same error is being logged "Logon denied due to validation error, Error Code: 3000 (No Webtop)"
I'm beginning to think that it is a version specific issue. The 11.6.0 documentation differs from the 12.1.0 documentation that you linked.
In 11.6.0 the relevant SAML instructions state:
Configuration requirements to support IdP- and SP-initiated connections
...
An access policy that:
Performs authentication
Assigns SAML resources and full webtop
However the stipulation for a 'full webtop' assignment does not appear in the 12.1.0 documentation. I am going to try an lab this on 12.1.0 to see whether I have any more success.
Thanks again for your guidance,
Barny
- Evan_Champion_1Aug 26, 2016Cirrus
That could be it -- we are using 12.1.0. I would recommend 12.1.0 HF1 for other reasons anyway, as it fixed some of the bugs I found with SAML. HF1 fixes a further regression in 12.1.0 where a user going to
ends up redirected back tohttps://yourserver/path/to/content
after authentication and nothttps://yourserver/
. This can be worked around but given you are upgrading you are better to go to HF1.https://yourserver/path/to/content
- Barny_RichesSep 01, 2016Nimbostratus
I just wanted to confirm that the problems I experienced were version related and that migrating my trial configuration to 12.1.1 has resolved these.
I now have a fully working proof-of-concept which permits both SP and IdP initiated authentication and seamless cross-policy access.
Thank you very much for all your help in getting this working - I really appreciate your advice.
With regards to your specific implementation, you mention that the only logic you include within the SP policy (post SAML auth) is a step to verify that the user has permission to access the application. Assuming you are using some sort of group membership (e.g. AD) to determine authorisation, do you check group attributes passed within the SAML assertion sent to the SP or is the SP policy able to access session variables instantiated by the IdP policy?