SAML artifact binding howto

Question

as pointed out in several posts in the past version 11.6 brings SAML artifact binding to the BIG-IP.&nbsp;
this is great, but has anyone got this working? im trying but getting stuck and the documentation is quite limited.&nbsp;
i assume i need to create a "artifact resolution service", but on which virtual server do i configure this? the same as the SP? or a seperate one?&nbsp;
and i will need to configure this also in the IdP so it knows where to send the artifact, what do i configure there, is  enough or is some specific path needed like with the SP ID?&nbsp;
and then the host and port, the documentation mentions the port is default 80, mine was on 443 i believe. but does this mean my virtual server has to also listen on that port or is an extra port opened?&nbsp;

boneyard · Answer

gotten a little further and believe i don't need the "artifact resolution service" in a BIG-IP as SP scenario. but getting stuck on the SP consuming the SAML response after asking for it via the Artifact.&nbsp;
anyone who has some experience to share?&nbsp;

kunjan · Answer

You may want to verify if the signature method used is rsa-sha1 for the assertion signing. &nbsp;&nbsp;

kunjan_118660 · Answer

You may want to verify if the signature method used is rsa-sha1 for the assertion signing. &nbsp;&nbsp;

boneyard · Answer

i don't sign the assertion at all currently, only the artifact response. why would it have to be rsa-sha1? i recall reading rsa-sha-256 is the advised minimum these days.

boneyard · Answer

i don't sign the assertion at all currently, only the artifact response. why would it have to be rsa-sha1? i recall reading rsa-sha-256 is the advised minimum these days.

Forum Discussion

SAML artifact binding howto

5 Replies

Recent Discussions

What are the different phases in DevOps?

Create a CSR and Key using the BigIP LTM GUI when renewing a certificate

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Related Content

Howto enable BIG-IP ASM client fingerprinting

LTM Monitoring IIS and Webserver Binding

BIGIP BIND for CVE-2022-38177

extract LTM VS ssl profile binding cert and key information to generate a json with python f5-sdk

Obfuscate GTM's BIND Version