SAML IDP issue
Hi,
I'm trying to understand the F5 IDP processing as I've run into a problem. I've setup an internal and external F5 IDP which has SP initiated auth from a cloud proxy for a user forward proxy service. Both the internal and external IDPs are working OK but there is one use case in the external IDP that isn't. The internal IDP uses kerberos client-side auth and the external IDP uses interactive forms based.
Basically, if a user is authenticating externally and they open the browser it generates background http traffic that causes the SAML auth be triggered and traffic to hit the F5 SSO and my.policy URLs although this is not presented to the user, triggering a session. When the user gets round to entering a URL another SAML POST request comes into the F5 SSO url but this one has a MRH cookie in it.
Because of this the F5 does a redirect to the same SSO URL instead of /my.policy and there is a subsequent GET to the SSO url. It appears at this point the SAML POST is lost. The user then enters their credentials and gets connection failed. Looking through the logs they get authed OK but the logs indicate no SAML request was available. I'm wondering if the SAML POST was dropped due to the 302 redirect to the SSO url straight after the SAML POST to the same url.
I've tested the external IDP auth when the SAML POST does not have the MRH cookie and the request gets a redirect to my.policy for auth then back to SSO for SAML response processing and works ok..
any advice appreciated...