Forum Discussion

jamed_40076's avatar
jamed_40076
Icon for Nimbostratus rankNimbostratus
Nov 04, 2015

APM as SAML SP using existing Virtual Server

Hi,

 

I'm trying to set up a simple pre-authentication, where for external access, APM will require you to sign in to ADFS before allowing access to a back end resource.

 

I can successfully log in, and my access policy goes to the "Allow" state, but I still can't view the resource. I end up at https://service.contoso.com/saml/sp/profile/post/acs, but that page doesn't return anything back.

 

When I remove the access policy from the virtual server, the virtual server works fine.

 

Is there anything I have to do to use the same virtual server for both the resource and the SAML SP?

 

We're running BIG-IP 11.6.0 .

 

I'm using this documentation: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-saml-config-guide-11-3-0/4.html

 

Thanks

 

APM
security

3 Replies

Sort By
  • jamed_40076's avatar
    jamed_40076
    Icon for Nimbostratus rankNimbostratus
    Nov 04, 2015

    Yes, SP-initiated.

    The Access Policy is just:

    Start -> SAML Auth -> Successful +> Allow
                   -> Fallback   +> Deny

    The access profile is pretty much default, single domain, no domain cookie, secure cookie, no SSO configuration.

    The Local SP Services is setup as follows:

    Entity id: https://service.contoso.com/sp
Assertion Consumer Service Binding: Post
Security Settings: All checked 
SP's Authentication Signing/Assertion Decryption Private Key: service.contoso.com.key 
SP Certificate: service.contoso.com.crt
Same certificate used to encrypt the https://service.contoso.com Virtual Server.

    I just used the ADFS template to create the SAML IDP Connector.

    Thanks

    • jamed_40076's avatar
      jamed_40076
      Icon for Nimbostratus rankNimbostratus
      Nov 05, 2015
      I found the issue. APM does not play nice with anything STREAM in the HTTP_Response (even when it wasn't doing anything). To fix it I added a rule (if {[HTTP::header value server] contains "/servicename/"}) so that it wouldn't fire during the APM response.