Forum Discussion

Ryan_T_152455's avatar
Ryan_T_152455
Icon for Nimbostratus rankNimbostratus
Oct 29, 2017

APM javascript error with Cisco Spark Windows application

I'm trying to get Cisco Spark SAML based SSO to work with APM. I have the web and mobile applications working fine following Cisco's instructions on the topic by creating a SAML IDP and external SP connector. The Windows application uses an SP-initiated connection but the Embedded IE window of the application throws a javascript error on the APM code:

 

An error has occurred in the script on this page 
Line: 35
Char: 5
Error: Not Implemented
https://sso.omnicell.com/public/include/js/web_host.js

When I use a login screen this error can be ignored and the SSO works fine. But if I try seamless NTLM SSO with the ECA module, then the login fails.

 

Does anyone have suggestions on how I can get this configuration to work?

 

Thanks, Ryan

 

APM
cloud

4 Replies

Sort By
  • Shane_Hickey_19's avatar
    Shane_Hickey_19
    Icon for Nimbostratus rankNimbostratus
    Nov 27, 2017

    Did you ever sort this one out? We switched from ADFS to the Big-IP for SSO and some of our Skype for Business users are seeing this same behavior.

     

    • Ryan_T_152455's avatar
      Ryan_T_152455
      Icon for Nimbostratus rankNimbostratus
      Nov 27, 2017

      I worked with support a while and they acknowledged that there is an issue with the ECA module in certain cases which is related to POST operations, which would come from SP-Initiated SAML. The support guy referenced me to another case where they added a 100ms delay in the iRule HTTP_REQUEST section when the browser string indicates Chrome.

       

      My experience is that IE is the only browser failing and I added a delay for all POST operations and my situation improves some but is not fixed. When I say improves, I mean it goes from always failing to intermittently failing. I'm still seeking a full solution.

       

    • Shane_Hickey_19's avatar
      Shane_Hickey_19
      Icon for Nimbostratus rankNimbostratus
      Nov 27, 2017

      Thanks for the quick reply. We made a few changes to accommodate Chrome as well, but not the one you mention. We actually have a VIP sitting in front of the VIP with our ECA iRule. That first VIP has an iRule that does user-agent detection. If it detects "chrome" in the user-agent string it forces the login page instead of trying to do ECA. But, that was to solve an issue with SP-redirects in Chrome just hanging forever.

       

      These javascript errors (which are identical in line and character number to yours) seemed to have cropped up after we made some changes in our Skype for Business configuration. I'm still digging into exactly what those changes are. If I get a solution that is more than just a workaround, I will reply here.

       

    • Ryan_T_152455's avatar
      Ryan_T_152455
      Icon for Nimbostratus rankNimbostratus
      Nov 27, 2017

      I also tried disabling clustered multi-processing https://support.f5.com/csp/article/K14358 in order for the delay to be more effective. It's hard to say whether that helped or not, but I left that setting in place regardless.

       

      The browser will end up doing 3 POST requests to the F5 during CHAP authentication. On the F5 side, the first two seem to execute just fine, the third one never comes if the defect is realized. From the browser's perspective, the 2nd POST doesn't get a reply from the F5. It's hard to troubleshoot because when I run it through Fiddler, it works just fine, possibly because of a change to the timing. This problem is also tricky to troubleshoot because the ECA module appears to be a black box on the F5 side that I can't see inside.