NimbostratusHas anyone had any experience setting up SAML Idp with SN? I am using APM 11.4.0 and trying to determine the Assertion Settings and SAML Attributes. I have Assertion Subject Type = Email Address and Value = %{session.logon.last.username} and I believe that is what SN preference. For the SAML attribute, what should be included in the assertion?
Hi
Are you sure that your %{session.logon.last.username} is an email address format ?
Deepnding on the VPE [logon] oject, if you "Split the username" , then the %{session.logon.last.username} is a "simple" name format.
I had a situation necently where I needed to change to %{session.logon.last.logonname}
Just to clarify ... my situation wasnt with Service-Now, but I did need to pass the full email address (logon name) across as a "userPrincipleName" attribute
Hi Turn up SSO debugging and you may get more insight to the error in /var/log/apm log
Once a APM session is started, either do a "sessiondump -allkey | grep .last." at the APM CLI, or run a report via the APM GUI and look at the session.logon.last session varibles for your session. Is there a {session.logon.last.username or session.logon.last.logonname ?)
Also use SAML tracer in Firefox to look at the SAML assertion that your browser is posting (if you are getting to that point).
Your error above may be the "SP Entity ID" value that is mismatched between the APM and Service-now (not sure, so double check).
There also seems to be a mismatch of certs/keys used to sign and decrypt the assertion on either side. Check you have the same combination of settings either side (start with signing but not encrypting).
Lastly, depending on the version of APM, there is an issue with soecial cahracters in the asserion.... there is an irule fix to ensure the Assertion is preserved as initially created
maybe look at
http://wiki.servicenow.com/index.php?title=SAML_2.0_Web_Browser_SSO_Profile https://wiki.servicenow.com/index.php?title=SAML_2.0_Troubleshooting
and "Fixing F5 BIG-IP SAML Authentication Requests" blog
http://blog.routedlogic.net/?p=480
HTH
Gary
NimbostratusIt also appears that my client/server ssl profile need to be included the CA/Chain?
NimbostratusIt is getting more interesting as we progress: 1. We had to get a new client/server certificate and converted to jks format for the SP's keystore since they used the wildcard (*) certificate. 2. We enable AuthReq and SLO that required the assertion to be signed on the SP side. Now, I think we will also have to change the SAML Idp setting for assertion subject value to SAML Idp as sAMAccountName=%{session.logon.last.username} or sAMAccountName=%{session.session.ssl.cert.last.cn} ???
NimbostratusNimbostratusThasin, Can you be a little more specific when it started to fail? Download Firefox SAML tracer and look up the error message to determine where it fail.
NimbostratusNimbostratusEnable debug as following, and check the logs for the error.
tmsh modify apm sso saml /Common/myIdP log-level debugCheck thedebug logs in /var/log/apm
Which version are you using? BZ 428390 affects SAML logging
NimbostratusOct 28 16:33:24 emaarhoapm1 notice apd[12930]: 01490010:5: 5c3c848a: Username 'shijog' Oct 28 16:33:26 emaarhoapm1 notice apd[12930]: 01490008:5: 5c3c848a: Connectivity resource '/Common/emaar_dev' assigned Oct 28 16:33:26 emaarhoapm1 notice apd[12930]: 01490128:5: 5c3c848a: Webtop '/Common/emaar_smal_webtop' assigned Oct 28 16:33:26 emaarhoapm1 notice apd[12930]: 01490005:5: 5c3c848a: Following rule 'fallback' from item 'Advanced Resource Assign' to ending 'Allow' Oct 28 16:33:26 emaarhoapm1 notice apd[12930]: 01490102:5: 5c3c848a: Access policy result: Full Oct 28 16:33:26 emaarhoapm1 warning tmm1[16307]: 014d0002:4: 5c3c848a: SSOv2 Authn Request has no Signature element Oct 28 16:33:26 emaarhoapm1 warning tmm1[16307]: 014d0002:4: 5c3c848a: SSOv2 Authn Request has no Signature element Oct 28 16:33:37 emaarhoapm1 warning tmm1[16307]: 014d0002:4: 5c3c848a: SSOv2 Authn Request has no Signature element Oct 28 16:33:55 emaarhoapm1 notice tmm1[16307]: 01490521:5: 2782480d: Session statistics - bytes in: 11415, bytes out: 9512 Oct 28 16:34:07 emaarhoapm1 warning tmm1[16307]: 014d0002:4: 5c3c848a: SSOv2 Authn Request has no Signature element Oct 28 16:34:26 emaarhoapm1 notice tmm1[16307]: 01490501:5: 5c3c848a: Session deleted due to user logout request.
SSOv2 Authn Request has no signature element - what it means
BIG-IP software version 11.5.1 HF5
CumulonimbusBigIP as IdP is expecting the Authentication request from SP to be signed. In this case since it is not signed disable that.
tmsh modify apm sso saml-sp-connector /Common/mySP is-authn-request-signed falseBigIP as IdP is expecting the Authentication request from SP to be signed. In this case since it is not signed disable that.
tmsh modify apm sso saml-sp-connector /Common/mySP is-authn-request-signed false