SAML SSO failing

Question

Hi there, &nbsp;
I'm attempting to get SAML up and going on the F5 for the first time and I've had quite a lot of learning and struggling to get things implemented since I've never worked with SAML before this.  I'm having an issue getting SAML SSO working and can't quite figure out why.  
&nbsp;
I have an application that supports SAML authentication that users need to access.  This application functions as a SAML SP.  I have setup a SAML iDP on the F5 to handle AD authentication for our internal users.  This functionality works if the user connects directly to the app or an LTM VIP for the app.  Users connecting to the app get successfully redirected to my F5 iDP and they sign in and get access to the app.&nbsp;
Now what I'm attempting to do is front this app with SAML authentication.  We will have external users accessing the app and we want to have the F5 function as a SAML SP to authenticate the user to external iDPs and then pass that assertion on to the backend application which will also be looking for an assertion.&nbsp;
I've created a SAML SP on the F5 and bound it to my internal iDP as well as our external partner.  If I set my pool a basic web page that doesn't need authentication the test user can access the site.  They hit the VIP where I have an access policy doing SAML Authentication that's pointed to my SP.  It redirects the user to the iDP where they sign in and get presented the simple web page.  
&nbsp;
When I try to apply this policy with a SAML SSO configuration SAML application it doesn't seem to be doing the single sign on.  The user gets successfully authenticated, but then I get a connection reset and taken to saml/idp/profile/redirectorpost/sso on the iDP.  The application owners say they aren't even seeing a request to the app coming in.  
&nbsp;
Here are my components:
LTM&nbsp;

iDP virtual server (idpservice.domain.com)&nbsp;

Application virtual server (testsaml.domain.com)&nbsp;

APM SAML&nbsp;

SAML BigIP as SP configured to use entity ID of the application URL, testsaml.domain.com, bound to my iDP and the partner's external iDP connector&nbsp;

SAML BigIP as iDP bound to the backend application server SP &nbsp;

APM Access Profiles&nbsp;

Access Policy applied to Application virtual server &nbsp;
*(Start &gt; SAML Auth &gt; SSO Credential Mapping &gt;Allow), the SAML auth is using the above SAML SP AAA server&nbsp;
*SSO Configuration set to iDP that is bound to backend application&nbsp;

Access Profile applied to the iDP virtual server&nbsp;
*(Logon page &gt; AD Auth &gt; AD Query &gt; SSO Credential Mapping &gt; Allow)&nbsp;
*SSO Configuration set to iDP that is bound to backend application&nbsp;

leonardo_accors · Answer

Hi SysThoper,
try to use thisp APM IdP policy flow:
Logon page &gt; AD Auth &gt; AD Query &gt; SSO Credential Mapping &gt; Advanced resource assign (webtop+SAML) -&gt; Allow &nbsp;&nbsp;

Forum Discussion

SAML SSO failing

1 Reply

Recent Discussions

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Related Content

Enable SAML Service Provider on F5 Distributed Cloud Application

SSO

Enhanced Modern Applications and MicroServices SSO with NGINX

SAML IdP Initiated SSO Denied and Killing Existing Session established through OAuth

Secure Modern Applications and MicroServices SSO with NGINX