SAML IDP issue

Question

Hi,&nbsp;
I'm trying to understand the F5 IDP processing as I've run into a problem. I've setup an internal and external F5 IDP which has SP initiated auth from a cloud proxy for a user forward proxy service. Both the internal and external IDPs are working OK but there is one use case in the external IDP that isn't. The internal IDP uses kerberos client-side auth and the external IDP uses interactive forms based. &nbsp;
Basically, if a user is authenticating externally and they open the browser it generates background http traffic that causes the SAML auth be triggered and traffic to hit the F5 SSO and my.policy URLs although this is not presented to the user, triggering a session. When the user gets round to entering a URL another SAML POST request comes into the F5 SSO url but this one has a MRH cookie in it. &nbsp;
Because of this the F5 does a redirect to the same SSO URL instead of /my.policy and there is a subsequent GET to the SSO url. It appears at this point the SAML POST is lost. The user then enters their credentials and gets connection failed. Looking through the logs they get authed OK but the logs indicate no SAML request was available. I'm wondering if the SAML POST was dropped due to the 302 redirect to the SSO url straight after the SAML POST to the same url. &nbsp;
I've tested the external IDP auth when the SAML POST does not have the MRH cookie and the request gets a redirect to my.policy for auth then back to SSO for SAML response processing and works ok..&nbsp;
any advice appreciated...&nbsp;

arpydays · Answer

Hi, only using single domain.&nbsp;
It appears to be related to multiple SAML requests during a session. I can simulate the issue by initially browsing to a site, SP redirects to F5 IDP and I get the login page, then I open another tab and browse to another site and get the login page again as part of a second SAML request, if I authenticate to this second page I get the failed connection and F5 then redirecting the second SAML POST (with the MRH cookie) back to the SSO url not my.policy. I don't see this on the internal IDP as the initial SAML request is authed using kerberos..&nbsp;

sgremion_121452 · Answer

Hi,&nbsp;
We are running into the same error. If the login page was opened and the login process was not completed then when the user completes the second login form it fails with the error "SSOv2 Authn Request has no SAMLRequest".&nbsp;
Did you find a solution to your problem or a workaround ?&nbsp;
Thanks&nbsp;

Forum Discussion

SAML IDP issue

2 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

APM Cookbook: SAML IdP Chaining

APM as Saml IDP with many SP

APM SAML IdP - SP Issuer Extraction

IdP Discovery for IdP Initiated SAML

SAML IdP Initiated SSO Denied and Killing Existing Session established through OAuth