Forum Discussion

edgoad_211171's avatar
edgoad_211171
Icon for Nimbostratus rankNimbostratus
Sep 17, 2015

SP-Initated SAML redirects to webtop?

I have a policy setup with 2 SAML resources. IDP-Initiated connections for both work fine. SP-Initiated however is giving me a headache.

 

The first resource is working properly with SP-Initiated SAML assertions.

 

  1. User goes to https://resource1.com
  2. User is redirected to https://login.company.com/idp/resource1
  3. User types in credentials
  4. User is redirected to https://resource1.com/foo (based on the relay state attribute)

The second resource however doesnt flow completely.

 

  1. User goes to https://resource2.com
  2. User is redirected to https://login.company.com/idp/resource2
  3. User types in credentials
  4. User is presented with the full webtop
  5. User has to click the icon for resource2
  6. User is redirected to https://resource2.com/foo

The second resource isn't performing the final redirect as expected. Instead, they are shown the full webtop and have to manually select the resource they want.

 

Is there any way to make resource2 operate the same as resource1? Is this something that needs to be updated at the IDP or SP?

 

APM
cloud
security

14 Replies

Sort By
  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Sep 18, 2015

    Hard to say, but most likely there is a mismatch on the SAML configuration side somewhere - maybe SP, maybe the IDP.

     

    For starters, since you say that you have two SPs, I suggest performing HTTPWatch or similar and checking if the URLs that SPs use to initiate the connection to the IDP are identical - if not, you might have a configuration mismatch on the SP side.

     

    Start by checking that first. You can also enable SSO debug log and see if there are any notices/errors reported there

     

    • edgoad_211171's avatar
      edgoad_211171
      Icon for Nimbostratus rankNimbostratus
      Sep 18, 2015
      Thanks for your feedback. I have used HTTPWatch and I am getting completely different readings from both resources. For resource1, the login process appears to POST to https://login.company.com/saml/idp/profile/redirectorpost/sso. For resource2, the login process appears to POST to http://login.company.com/my.policy. However, I am not familiar enough with SAML to know if this is wrong, or just another way to work it.
    • Michael_Koyfma1's avatar
      Michael_Koyfma1
      Icon for Cirrus rankCirrus
      Sep 18, 2015
      I am glad my suggestion was in the right direction. Not knowing details of resource2, I am guessing that SAML configuration on resource 2 side is mess up - please review it.
    • edgoad_211171's avatar
      edgoad_211171
      Icon for Nimbostratus rankNimbostratus
      Sep 18, 2015
      Out of curiosity, the authentication seems to be working, just the flow through the F5 (for whatever reason) isnt completing. Since the resource is sending the user to a unique URL (https://login.company.com/idp/resource2), is there some way I can force it? Can I use an iRule or something to select the SAML resource for the user?
  • Michael_Koyfman's avatar
    Michael_Koyfman
    Icon for Cirrocumulus rankCirrocumulus
    Sep 18, 2015

    Hard to say, but most likely there is a mismatch on the SAML configuration side somewhere - maybe SP, maybe the IDP.

     

    For starters, since you say that you have two SPs, I suggest performing HTTPWatch or similar and checking if the URLs that SPs use to initiate the connection to the IDP are identical - if not, you might have a configuration mismatch on the SP side.

     

    Start by checking that first. You can also enable SSO debug log and see if there are any notices/errors reported there

     

    • edgoad_211171's avatar
      edgoad_211171
      Icon for Nimbostratus rankNimbostratus
      Sep 18, 2015
      Thanks for your feedback. I have used HTTPWatch and I am getting completely different readings from both resources. For resource1, the login process appears to POST to https://login.company.com/saml/idp/profile/redirectorpost/sso. For resource2, the login process appears to POST to http://login.company.com/my.policy. However, I am not familiar enough with SAML to know if this is wrong, or just another way to work it.
    • Michael_Koyfman's avatar
      Michael_Koyfman
      Icon for Cirrocumulus rankCirrocumulus
      Sep 18, 2015
      I am glad my suggestion was in the right direction. Not knowing details of resource2, I am guessing that SAML configuration on resource 2 side is mess up - please review it.
    • edgoad_211171's avatar
      edgoad_211171
      Icon for Nimbostratus rankNimbostratus
      Sep 18, 2015
      Out of curiosity, the authentication seems to be working, just the flow through the F5 (for whatever reason) isnt completing. Since the resource is sending the user to a unique URL (https://login.company.com/idp/resource2), is there some way I can force it? Can I use an iRule or something to select the SAML resource for the user?
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Sep 18, 2015

    Hi, to use IDP initiated SAML, you created 2 idp profiles? one for each sp.

     

    the SP initiated SAML use idp as SSO profile. as you have 2 IDP depending on the SP requesting, you need to assign with an irule a different so for the second ressource.

     

    you can see how to change so profile here

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Sep 18, 2015

    Hi,

     

    ACCESS_ACL_ALLOWED Évent raise when user request is allowed by apm.

     

    It raise just after HTTP_REQUEST When user is authenticated.

     

    On the last irule, the condition is not referrer but the host name...

     

    If the host name is the same for both IDP, you can filter on HTTP::path instead of HTTP::host

     

  • Walter_Kacynski's avatar
    Walter_Kacynski
    Icon for Cirrostratus rankCirrostratus
    Sep 18, 2015

    "For resource2, the login process appears to POST to http://login.company.com/my.policy"

     

    Can you re-configure resource 2 to issue a post to the correct URL? It seems like the meta-data that you have configured i resource 2 is incorrect. Maybe it is only referencing the root url and not the SAML redirect URL?

     

  • edgoad_211171's avatar
    edgoad_211171
    Icon for Nimbostratus rankNimbostratus
    Sep 18, 2015

    I somewhat stumbled across the solution, it was the login URL that was set for the second resource.

     

    When we started the setup, they asked for the login URL, which I assumed was https://login.company.com/idp/resource2 since that was the IDP Entity ID. It wasn't until I compared the metadata from my IDPs and the working service provider, that I realized it should have been https://login.company.com/saml/idp/profile/redirectorpost/sso.

     

    Once the SP updated their system to use the new URL, everything worked great. Though I am somewhat surprised it was this hard to get working. Is it normal for people to need to sniff transactions and reverse-engineer packet captures to make this work?

     

    • Michael_Koyfma1's avatar
      Michael_Koyfma1
      Icon for Cirrus rankCirrus
      Sep 18, 2015
      Glad you got this working! SAML is not the easiest thing in the world, but once you get a hang of it and set up a few IDP/SP relationships, you'll be easily verses in all its pitfalls.