Forum Discussion

Philipp_Stadler's avatar
Philipp_Stadler
Icon for Nimbostratus rankNimbostratus
Jun 30, 2015

APM IdP SAML config for sharefile

Hi all,

we try configuring a SAML config with an F5 SAML guide. Our system should have F5 as a SAML IdP and sharefile.com as SP. Does anyone has expirience with this architecture?

What we already have:

  • F5 APM config:

EntidyID: https://auth.customer.com

binded SP Entidy: https://serviceat.sharefile.com/saml/info

Assertion Consumer Service URL: https://serviceat.sharefile.com/saml/acs

  • Sharefile config:

Sharefile Issuer: https://serviceat.sharefile.com/saml/info

IdP Issuer: https://auth.customer.com

Login URL: https://auth.customer.com/saml/idp/profile/redirectorpost/sso

Logout URL: https://auth.customer.com/saml/idp/profile/post/sls

When the user tries to login on sharefile, he will be redirected to the F5 APM Login Page; after successful Login, the URL https://auth.customer.com/saml/idp/profile/redirectorpost/sso?SAMLRequest=blablabal.... is requested via GET, but there we didn't get any response. - so no redirect to the Consumer Service of Sharefile can be seen.

With the SAML tracer I can see the request to the F5:


    https://serviceat.sharefile.com/saml/info
    
    
        urn:oasis:names:tc:SAML:2.0:ac:classes:Password

Does anyone have an already running SAML configuration like this or has any hints, what we are doing wrong here? It seems to me, that the APM doesn't listen to the requested URL.

Thanks in advance,

Philipp
BIG-IP Access Policy Manager (APM)
citrix
security

6 Replies

Sort By
  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    Jun 30, 2015

    ACS url looks different in the config, though not very sure that itself will break. Are you using metadata from SP to import to APM?

     

    If you can share the logs after enabling debug under 'Local IdP Services', it might help.

     

  • Philipp_Stadler's avatar
    Philipp_Stadler
    Icon for Nimbostratus rankNimbostratus
    Jun 30, 2015

    thanks for your fast answer - i get the following error messages.

    Jun 30 17:33:10 slot1/shd-adc-1 err tmm[17069]: 014d0002:3: 58d3067c: SSOv2 Error: No SP Connector attached to SAML SSO from assigned SAML resources matching authentication request. If ACS URL is present in authentication request it should match ACS URL from SP Connector. If Issuer is present in authentication request it should match entity_id from SP connector.
Jun 30 17:33:10 slot1/shd-adc-1 err tmm[17069]: 014d0002:3: 58d3067c: SSOv2 Error(16) Unable to find SAML SSO/SP Connector  object matching SAML Authn Request

    maybe I didn't understand anything correct, but the line 

    https://serviceat.sharefile.com/saml/info

    in request shows, that the issuer is the same as configured in APM (External SP connector - General settings - Entity ID).

    also the acs URL from the request

    AssertionConsumerServiceURL="https://serviceat.sharefile.com/saml/acs?idpentityid=http://auth.customer.com"

    is the same as configured in APM (External SP connector - endpoint settings - ACS URL).

    Can you please explain, why you think acs is different?

    Thanks, Philipp

  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    Jun 30, 2015

    So the issue should be due to ACS configured in SP connector doesn't match with the one in incoming request. I suspect APM expects to match the full URL including the URI querry parameter.

    Try configuring the full ACS URL "

    https://serviceat.sharefile.com/saml/acs?idpentityid=http://auth.customer.com
    " in the SP connector.

    With this error are you seeing the logon page? would expect some kind of page error.

  • Philipp_Stadler's avatar
    Philipp_Stadler
    Icon for Nimbostratus rankNimbostratus
    Jul 01, 2015

    step forward - thanks, we really have to configure full URL including query parameters for ACS URL on F5 - thanks for that. Now I can also see the POST to the ACS URL to sharefile servers. But then I got redirected to the efault logon page of serviceat.sharefile.com.

     

    Maybe I have now issues with the Assertion Subject? - I'm using E-Mail address.

     

     

    regards,

     

    Philipp

     

    btw: yes, I was able to login on F5 Logon page, but then I got page not found (APM follows through VPE to Allow and the nothing happened any more.

     

  • Philipp_Stadler's avatar
    Philipp_Stadler
    Icon for Nimbostratus rankNimbostratus
    Aug 03, 2015

    for all that will have similar issues or questions: "Signing is Key" !

     

    Sharefile requires to sign SAML requests: - we turned on signing, exchanged the key and all worked fine.

     

    Thanks for your support, Philipp