arpydays
Feb 05, 2016Nimbostratus
SAML issue
Hi,
my setup is SP initiated SAML using F5 APM as IdP. The F5 authenticates the web users using NTLM (client-side NTLM on the F5) as part of the IdP auth
All appears to be working for Firefox. Wi...
Hi Michael,
issue does disappear when using forms auth, version is 11.6HF5. I tracked it down to IE not sending the 'dummy' token parameter in the subsequent POST to APM SAML SSO after being authenticated by the APM policy. It seems a bit obscure so I've tried a different configuration using your rule from your "Leveraging BIG-IP APM for seamless client NTLM Authentication" doc, as this will also give me some control over NTLM and fallback to logon.
This appears to be working from a NTLM and SAML perspective with one issue. The session.logon.last.username does not appear to be populated as it was with a basic NTLM enabling rule with no redirecting, this breaks my AD query. I've also got the mapping of ECA::username to session.ntlm.last.username in the ECA_REQUEST_ALLOWED event as per your rule. The logs indicate that session.logon.last.username and session.ntlm.last.username are empty. I've added some variable logging and this confirms the issue. For some reason any log local0. statements in ECA_REQUEST events do not show up in the apm log, which doesn't help.
Interestingly the session.ntlm.last.machinename and session.ntlm.last.status are mapped and populated with the ECA values just the session.ntlm.last.username variable is not, neither is the session.logon.last.username.