SAML issue

I suggest you use httpwatch or similar tool to capture and analyze traffic in Firefox and IE to observe where the difference in behavior is. did you check to see that issue disappear if you use forms-based logon instead of NTLM? Who is your SP here? What BIG-IP version?

Hi Michael,

issue does disappear when using forms auth, version is 11.6HF5. I tracked it down to IE not sending the 'dummy' token parameter in the subsequent POST to APM SAML SSO after being authenticated by the APM policy. It seems a bit obscure so I've tried a different configuration using your rule from your "Leveraging BIG-IP APM for seamless client NTLM Authentication" doc, as this will also give me some control over NTLM and fallback to logon.

This appears to be working from a NTLM and SAML perspective with one issue. The session.logon.last.username does not appear to be populated as it was with a basic NTLM enabling rule with no redirecting, this breaks my AD query. I've also got the mapping of ECA::username to session.ntlm.last.username in the ECA_REQUEST_ALLOWED event as per your rule. The logs indicate that session.logon.last.username and session.ntlm.last.username are empty. I've added some variable logging and this confirms the issue. For some reason any log local0. statements in ECA_REQUEST events do not show up in the apm log, which doesn't help.

Interestingly the session.ntlm.last.machinename and session.ntlm.last.status are mapped and populated with the ECA values just the session.ntlm.last.username variable is not, neither is the session.logon.last.username.

after removing and reapplying some parameters the username variable is now passed ok:)

cheers