Forum Discussion
Michael_Koyfman
Sep 18, 2015Cirrocumulus
Hard to say, but most likely there is a mismatch on the SAML configuration side somewhere - maybe SP, maybe the IDP.
For starters, since you say that you have two SPs, I suggest performing HTTPWatch or similar and checking if the URLs that SPs use to initiate the connection to the IDP are identical - if not, you might have a configuration mismatch on the SP side.
Start by checking that first. You can also enable SSO debug log and see if there are any notices/errors reported there
- edgoad_211171Sep 18, 2015NimbostratusThanks for your feedback. I have used HTTPWatch and I am getting completely different readings from both resources. For resource1, the login process appears to POST to https://login.company.com/saml/idp/profile/redirectorpost/sso. For resource2, the login process appears to POST to http://login.company.com/my.policy. However, I am not familiar enough with SAML to know if this is wrong, or just another way to work it.
- Michael_KoyfmanSep 18, 2015CirrocumulusI am glad my suggestion was in the right direction. Not knowing details of resource2, I am guessing that SAML configuration on resource 2 side is mess up - please review it.
- edgoad_211171Sep 18, 2015NimbostratusOut of curiosity, the authentication seems to be working, just the flow through the F5 (for whatever reason) isnt completing. Since the resource is sending the user to a unique URL (https://login.company.com/idp/resource2), is there some way I can force it? Can I use an iRule or something to select the SAML resource for the user?