Forum Discussion

vdanniel_317211's avatar
vdanniel_317211
Icon for Nimbostratus rankNimbostratus
May 01, 2017

F5 SAML SP metadata customization.

Hi there,

we are trying to integrate to a a third party idp using F5 SAML SP and idp connector utility. It looks like the metadata request the tools generates does not match the need of the idp. the question is , is there a way to do add more attributes to the metadata , eg below.


           
                

use=signing is missing in the xml export of F5 utility.

below is a nother section

       
            
                  
                       

use attribute is missing and cant seem to find a way to add this in the tool .

also want to add below sections. Sample Service Provider Sample Service Provider https://sample-service-provider.org.nz

thanks in advance.

6 Replies

  • P_K's avatar
    P_K
    Icon for Altostratus rankAltostratus

    Hi Danniel,

     

    isn't your IdP providing the Metadata?

     

  • Hi,

     

    yes they have provided a sample metadata and i did import it when creating the external idp connector in F5 APM. But when I export the metadata from sp section, which is the request that I understand will be sent to the idp from sp in f5, it seems to not have those parameters. am i missing something here?

     

    thanks for helping in advance.

     

  • P_K's avatar
    P_K
    Icon for Altostratus rankAltostratus

    Hi Danniel, I'm still trying to understand your requirement here..

     

    So where are you adding these attributes?

     

    are we talking about SAML attributes?

     

    If the IdP provided you the metadata, that means your big-ip is acting as SP, am i right?

     

    If so, why do you want to export the metadata from SP?

     

  • that is right. those questions put me in the right directions.

     

    the first problem is to add more parameters to the redirect. like the below. right now there is one relay state in the request, i would like to add more to it for the request to be understood by the end servers.

     

    https://test.govt.nz/sso/SSORedirect/metaAlias/logon-idp? ?SAMLRequest=fZJbb9swDIX%2FiqF339tsEeIARoICAdatiIc%2B7E2VmUaALGkinUt%2F%2FSQvKQJ066vIo%2FMdkgsUg3a8HWlvtvB7BKTkNGiDPBYaNnrDrUCF3IgBkJPkXfv4jVsdswQUieFLWsBuJ%2B1zjvCUrrWZJe1WvrMFxAN%2BBPygJG9PDqWEFS9YBRhkRexq2J3LI81z1YEjROVPZqz1QZt5yRJt33Y8t9MqDpHwAEq1WAnN1wFT1jiWbdcPE%2FP6rqAoo7ueymvWl3L18qctZ%2FVKKmbzbzUMX4hj8kYShhlVFMU%2FLMi3qn0XB6zmvq18sefL2EBj89xCtYZ0YnIbkgv5eZMkzeJy4Q2i2XMTJ8Ol7v7wmOR6PGU76FN17GA9CD3nsF86Vi%2FxWufi7rGi9WT9ZreQ5abW2x1VQUcAhPwJLHqwfBH2%2Bh%2Fii%2BnQ3tXIXaZHCZANr%2FtHl6ny5EOinewmLIzjRJd3t00qH29jCbhkRzJvmMR1XkjhSj1zEVt6D0%2FY8BFO%2Bee5uzkpyGfWB%2BNH2HXkwr7S%2FTOKfLlfk%2F%2BDlH298%2BQc%3D

     

    &RelayState=SzQzTjK0NDCxMDVITTY2N0gxNTAwMTFPMzROS0o0MDAAAA%253D%253D

     

    &SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1

     

    &Signature=VwZiHU0VDHcklgo83dmTnF0DZXnHQvVBkC3hQxTmXg9HLtgneehwgrwp3pthgegNgKBiGMLYMpWN8FP%2BsbkaPPoUOZHnBXnpUDAPj%2F2vvBNlhd0z2GrED%2Fi2K54%2FycbwA0rH%2BlTOKl6OQUXZ2PGHPwEQ14LPMspmpSnCEoLTl9M%3D

     

  • vdanniel, the metadata you export from your SP usually mirror the configuration of your SP. If you don't have any signature or encryption information in your metadata it might be because that is not set in your SP configuration.

     

    I am not sure if you can add any relaystate, at the end this is a sort of obfuscation mechanism information sent by the SP to the IDP to keep the entry point of the client when this one is redirected back to the SP. Relaystate is does configured on the IDP but here is plain text.

     

    Attrubutes are sent by the IDP to provide additional information of the user to the SP so in your case it does not apply.

     

  • thanks Daniel. So what is the best way to add all the necessary query parameters in F5 APM. I tried to use the endpoint settings to populate the extra parameters. but when it adds the SAML request it appends the ? again to the url and dismantles the uri. sigalg and signature are the parameters required to send to the idp provider in this case realme.govt.nz test site. any advise on this is highly appreciated.

     

    thanks