Forum Discussion
Thanks again Evan,
I have double-checked the advanced assignment step within the IdP policy and application specific SAML resources are definitely being assigned. However APM still insists that a "Webtop configuration is required" and same error is being logged "Logon denied due to validation error, Error Code: 3000 (No Webtop)"
I'm beginning to think that it is a version specific issue. The 11.6.0 documentation differs from the 12.1.0 documentation that you linked.
In 11.6.0 the relevant SAML instructions state:
Configuration requirements to support IdP- and SP-initiated connections
...
An access policy that:
Performs authentication
Assigns SAML resources and full webtop
However the stipulation for a 'full webtop' assignment does not appear in the 12.1.0 documentation. I am going to try an lab this on 12.1.0 to see whether I have any more success.
Thanks again for your guidance,
Barny
I just wanted to confirm that the problems I experienced were version related and that migrating my trial configuration to 12.1.1 has resolved these.
I now have a fully working proof-of-concept which permits both SP and IdP initiated authentication and seamless cross-policy access.
Thank you very much for all your help in getting this working - I really appreciate your advice.
With regards to your specific implementation, you mention that the only logic you include within the SP policy (post SAML auth) is a step to verify that the user has permission to access the application. Assuming you are using some sort of group membership (e.g. AD) to determine authorisation, do you check group attributes passed within the SAML assertion sent to the SP or is the SP policy able to access session variables instantiated by the IdP policy?