F5 SAML WebEx

Question

Has anyone successfully integrated F5 APM SAML2.0 as an IdP with Webex (SP)?&nbsp;
I'm getting the following errors and not I'm not sure how to diagnose:&nbsp;
Jan 30 15:37:55 edge2 err tmm[14237]: 014d0002:3: 7e63b70b: SSOv2 Error: No SP Connector attached to SAML SSO (/Common/idp_XXXXXXX) matching authentication request. If ACS URL is present in authentication request it should match ACS URL from SP Connector. If Issuer is present in authentication request it should match entity_id from SP Connector.
Jan 30 15:37:55 edge2 err tmm[14237]: 014d0002:3: 7e63b70b: SSOv2 Error(16) Unable to find SAML SSO/SP Connector  object matching SAML Authn Request&nbsp;
I have an External SP Connector defined.  And it has been bound the the one, and only, Local IdP Service.  This Local IdP Service is also bound to a EMC Syncplicity SSO which works just fine.  So I'm stumped as to whether the issue is the the SAML External SP connector or the Webex SSO configuration for the IdP.&nbsp;
Any suggestions?&nbsp;

michael_koyfma1 · Answer

What does your config look like? Is your IDP config assigned as the SSO profile to the Access policy or in the VPE? Based on your description, it has to the former, as the same IDP config object cannot be currently used in the VPE as a SAML Resource if it has multiple SP connectors bound to it - so I would double-check your setup. I don't think this has anything to do with WebEx but rather with your APM setup.

gilles_archer_3 · Answer

Hi Michael,&nbsp;
The IDP SSO has two SAML SP Connectors (WebEx &amp; Syncplicity).  The IDP SSO is assigned to one access profile (VPE has Logon Page--&gt;AD Auth--&gt;AD Query) with no resource assignments.&nbsp;
I used the BIG-IP APM Authentication and SSO Manual- chapter 29 my guide.  Our intention is to use this IDP to host multiple SP that utilize the same assertion (email address) method.&nbsp;

michael_koyfma1 · Answer

Sounds like you have it setup right. Did you double-check that everything matches? the URIs, all slashes, etc - SAML is very picky on matching things. One easy way to test is to "unbind" Syncplicity Connector and just try with WebEx - if it still fails, you know that something does not match in terms of metadata. Did you import metadata file from WebEx to create the SP connector?

gilles_archer_3 · Answer

I'm way ahead of you, Michael.  I did try unbinding all SP connectors other than the WebEx connector.  No luck.  We exported the IdP and imported it into the WebEx SSO Configuration page.  We exported the WebEx SP and imported into APM.  It should be rather straight forward.&nbsp;
I've got a case open.  All the data is being analysed so now it's just a waiting game.&nbsp;
Thanks again.&nbsp;

michael_koyfma1 · Answer

It should be.  Feel free to message me your case number, and I can take a look and see if I can offer up any advice

Forum Discussion

F5 SAML WebEx

9 Replies

Recent Discussions

minimum tmos software version for connect CIS (openshift)

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries HA

Need advise to setup a policy on F5

F5 Rseries R2600 Tenant sizing

Related Content

APM combining SAML and AD to work together

SAML SLO NameQualifier and SPNameQualifier attributes missing

AD attributes in SAML assertion

Office 365 SAML idp and Outlook 2016 solution?

Error Encrypting a SAML Assertion from APM