Problems with BigIP/APM as Identity Provider for SAML2
Problem One:
I've configured my BiIP/APM as Identity Provider for SAML SSO (SP-Inited SSO) integration with our partner(Service Provider). When the counterpart Service Provider POST (by default, the POST binding method is being used) AuthnRequest as SAMLRequest to our IdP https://www.mycompany.com/saml/idp/profile/redirectorpost/sso (this has started the APM evaluation process and this URL is now set as landingUrl on BigIP/APM), our BigIP/APM working as IdP correctly pops up login page for authentication. However, after successful authentication, the BigIP/APM has tried to GET to the remembered landingUrl instead of the original POST method, which has resulted in that our IdP failed to post SAMLResponse back to the AssertionConsumerService URL of SP although the user has already been successfully authenticated.
Problem two:
In order to work around the above mentioned problem, I’ve coordinated with our counterpart to use REDIRECT binding method instead of POST. However, another new problem appeared. It seems that length of the URL for redirecting the AuthnRequest plays some tricks on BigIP/APM side while triggering APM evaluation process. We’ve narrowed down the test case to reproduce this issue, for instance, this curl command below will trigger the APM evaluation process on BigIP based on the fact that the BigIP has redirected to /my.polocy as well as MRHSession cookies
GET /saml/idp/profile/redirectorpost/sso?SAMLRequest=nVfJkqNIEr3rK9LUR1kVmxaQVZZZBDsCBEhCgssY%2ByI2sUtfPyizKiurZ6atpw%2BYFIHHC%2FfnzyOcb42TZ9UWdG1cGMGtC5r2Zcyzotm%2BvXidd3WxLZ0mabaFkwfNtvW2B6DIW%2Fwruq3qsi29Mpu%2FgKYJ6jYpC7osmi4P6kNQ94kXnAz5dR63bdVsESQoxr5q2mmLr9Pv16LcLpcE8twHaSpkAguTLECqsmkRx2vmL8xkmRTOE%2FYXiB%2F0P1a%2Fr0z8X0vrwE%2FqwGvL%2Bg2kacr5i8i8zv%2BFUR5FOit%2F7bnuyglxFN0QobP0KIrASTJcL9dL3yEm46bpArFoWqdoX%2Bc4imNf0OUXHD9iqy1BbonVVxTF7fkLV9Ze8MbZ6zx0siaYv2g%2FuIBJ4SdF9NfEue9GzVY4HrUv2v5wnL%2BYQd28RToZzL9%2Fewa3ffOn%2FpSQv4Z1fmZh%2Fv0vOf%2BGfEL%2F%2Fs1vtockmoju6uDHXn7zzviEMAzD14H4WtYRMvGGIiiFTDZ%2Bk0R%2FzD%2FWBr5YhOU%2FWEw7RVkknpMlj7dEK0Ebl%2F4LyKKyTto4%2Fx9IGIKhT6Qvweh98bBl8ccc%2BT2Qvwn0m0t143xpYgf7gWUEYVAHhRe8nAzxdf7H35XR2%2BJj7RRNWNZ58%2Fvw%2F%2FMoKPogK6vA%2F9L8DOyHc38f8L9w9f1b4G3Fwsu6JukD9SmkyvGC5kcCA%2B%2FvQ03CD8JklJNmqpixeXqHfHbvT8N3NpgkmhT5T1L0KT3vIKaTdcH3IrmKFmtf43EfRLWrF5bSWykmyJT3%2BubAZ%2BO3iY%2Fkvg9%2Fifh3Gb2vOHi7Cz56NSVSxI00ghWxUcAdtbANqxb12e3jNlDlVsOvuLyPz9YFMPI5rHYyt0%2BXqzwZlLsgeaV5laNTsRiDNPAUOkdsZyWVTLy8ohAC5WawSHmMJTIdWiUN1oK8kGS3uFQ5H3JS%2BLiqVEEgvaDaqwYYdrokKXNPsisx1c6Q4SsbVbB9wpMno8VrXyROZhepY6WuF3RSubI5EOy5Ol30sLwnmr4z6DErKuNy7X2pOYchqnq9IOIq1gk8BlG9u2Or6B6nl0RiRWa5TJgjMHilp7gF6xIadylJTIDrMjtiSzOOr7GjcrQSOWVV8o29Njt7gWQerKNIwfRVqO5O3OiMu2zU03ZBDvfl8Pr6Qf0nrp%2F074L7RyouK5RinNb5GNDPMy6czow2%2BK6IIjcyNA139wgMIgSRqISXhhKkBNPCfXrhaUQBKE8fbvxBdAlGZy HTTP/1.1
> User-Agent: curl/7.64.1
> Accept: */*
>
* HTTP 1.0, assume close after body
< HTTP/1.0 302 Found
< Connection: Close
< Content-Length: 0
< Location: /my.policy
< Set-Cookie: LastMRH_Session=0ae14ed7;path=/;secure;HttpOnly
< Set-Cookie: MRHSession=ae1b8222181863b1ab29623b0ae14ed7;path=/;secure;HttpOnly
< Set-Cookie: MRHSHint=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/;Secure
However, if I append just one single letter A in the above mentioned URL, BigIP will fail to trigger APM evaluation process
> GET /saml/idp/profile/redirectorpost/sso?SAMLRequest=nVfJkqNIEr3rK9LUR1kVmxaQVZZZBDsCBEhCgssY%2ByI2sUtfPyizKiurZ6atpw%2BYFIHHC%2FfnzyOcb42TZ9UWdG1cGMGtC5r2Zcyzotm%2BvXidd3WxLZ0mabaFkwfNtvW2B6DIW%2Fwruq3qsi29Mpu%2FgKYJ6jYpC7osmi4P6kNQ94kXnAz5dR63bdVsESQoxr5q2mmLr9Pv16LcLpcE8twHaSpkAguTLECqsmkRx2vmL8xkmRTOE%2FYXiB%2F0P1a%2Fr0z8X0vrwE%2FqwGvL%2Bg2kacr5i8i8zv%2BFUR5FOit%2F7bnuyglxFN0QobP0KIrASTJcL9dL3yEm46bpArFoWqdoX%2Bc4imNf0OUXHD9iqy1BbonVVxTF7fkLV9Ze8MbZ6zx0siaYv2g%2FuIBJ4SdF9NfEue9GzVY4HrUv2v5wnL%2BYQd28RToZzL9%2Fewa3ffOn%2FpSQv4Z1fmZh%2Fv0vOf%2BGfEL%2F%2Fs1vtockmoju6uDHXn7zzviEMAzD14H4WtYRMvGGIiiFTDZ%2Bk0R%2FzD%2FWBr5YhOU%2FWEw7RVkknpMlj7dEK0Ebl%2F4LyKKyTto4%2Fx9IGIKhT6Qvweh98bBl8ccc%2BT2Qvwn0m0t143xpYgf7gWUEYVAHhRe8nAzxdf7H35XR2%2BJj7RRNWNZ58%2Fvw%2F%2FMoKPogK6vA%2F9L8DOyHc38f8L9w9f1b4G3Fwsu6JukD9SmkyvGC5kcCA%2B%2FvQ03CD8JklJNmqpixeXqHfHbvT8N3NpgkmhT5T1L0KT3vIKaTdcH3IrmKFmtf43EfRLWrF5bSWykmyJT3%2BubAZ%2BO3iY%2Fkvg9%2Fifh3Gb2vOHi7Cz56NSVSxI00ghWxUcAdtbANqxb12e3jNlDlVsOvuLyPz9YFMPI5rHYyt0%2BXqzwZlLsgeaV5laNTsRiDNPAUOkdsZyWVTLy8ohAC5WawSHmMJTIdWiUN1oK8kGS3uFQ5H3JS%2BLiqVEEgvaDaqwYYdrokKXNPsisx1c6Q4SsbVbB9wpMno8VrXyROZhepY6WuF3RSubI5EOy5Ol30sLwnmr4z6DErKuNy7X2pOYchqnq9IOIq1gk8BlG9u2Or6B6nl0RiRWa5TJgjMHilp7gF6xIadylJTIDrMjtiSzOOr7GjcrQSOWVV8o29Njt7gWQerKNIwfRVqO5O3OiMu2zU03ZBDvfl8Pr6Qf0nrp%2F074L7RyouK5RinNb5GNDPMy6czow2%2BK6IIjcyNA139wgMIgSRqISXhhKkBNPCfXrhaUQBKE8fbvxBdAlGZyA HTTP/1.1
> Host: dev.vps.no
> User-Agent: curl/7.64.1
> Accept: */*
>
* LibreSSL SSL_read: SSL_ERROR_SYSCALL, errno 54
* Closing connection 0
curl: (56) LibreSSL SSL_read: SSL_ERROR_SYSCALL, errno 54
It will be great if we could get some feedbacks for these two issues from BigIP