Forum Discussion

wwylie_122896's avatar
wwylie_122896
Icon for Nimbostratus rankNimbostratus
Jul 25, 2014

Big-IP as IDP with Salesforce.com - Configuration help?

I'm brand new to SSO and I'm trying to configure our Big-IP as an IDP and Salesforce as the SP using SAML 2.0. Logins will be SP Initiated since most users go straight to Salesforce.

 

I've searched the internets for anything relating to configuration for these two in this sort of configuration. I know it's supported, but I can't seem to get it to work. Most of the documentation is very generic, or mentions Big-IP as the SP and SFDC as the IDP.

 

As of right now, I have SFDC sending assertions to the F5, I can get a TCPDUMP and see traffic coming in on my VS that's assigned to the access policy. However, when I look at \var\log\apm, there is nothing there. I have all logging set to debug, but nothing is logged during the SSO attempt, just the background process logs (nothing noting ssov2).

 

Does anyone have an example of what they've done? I'd love to pay someone to come in an do this for us, but management would rather have me working on it to save the money.

 

Also, this may be due to the fact I'm using a Wildcard cert for the IDP, does anyone know if SFDC rejects wildcard certs?

 

6 Replies

  • wwylie,

     

    I think you might've hit it right on the head - I am not sure about SFDC, but I have basically seem various SP not work properly with APM as IDP if the wildcard cert is used to sign the assertion(experienced that with Office 365). Try change it to a private unique single-host cert and see if the problem goes away - I sure hope it is going to be as simple as that.

     

  • I managed to get this working with an IDP initiated sing-in through a portal on the Big-IP. For some reason, the SP initiated sign on still isn't working.

     

  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus

    Do you have special chars in ACS, like ampersand? You may want to enable accesscontrol debug to troubleshoot.

     

  • No special characters anywhere. I've actually got all logging set to debug, but nothing hits the logs. If I run a dump when I try to initiate from the SP, I see packets hit the Big-IP from SFDC, but nothing in \var\log\apm.

     

  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus

    For debug logs in syslog check 'tmsh modify /sys db log.access.syslog value enable' is done

     

  • I have SP initiated setup for Webex and Brainshark (Big-IP is the IdP), and they work perfectly when you get redirected to the Big-IP from the SP it directs you right back to the SP after login without any webtop.

     

    Now Salesforce....it doesn't matter what settings I try I always end up on the webtop, and then you have to manually click the Salesforce resource and it then launches you back to Salesforce (and does log you in sucessfully). Anyone have any luck getting around this? I am on 11.6 now and still have the same problem. Before 11.6 I had the irule in place that fixed the assertions on redirect.