Forum Discussion

Martin_Šebek's avatar
Martin_Šebek
Icon for Altostratus rankAltostratus
Apr 14, 2020

APM as SAML Service Provider and IdP connector automation

Hello,

 

I am using APM (TMOS 14.1.2.3) as SP and ADFS as IdP. The setup works, but I also must automate the process of renewing the signing certificate of IdP because it is changed regularly and automaticaly on ADFS.

 

I have tried to setup Access/Federation/SAML Service Provider/Connector Automation. But I do not see any attempts of BIG-IP trying to reach URL with ADFS xml. Log file /var/log/saml_automation.log is empty. Any idea how to debug this kind of issue?

 

I am also aware of bug 755739 which prevents importing metadata from IdP if they contain SPSSODescriptor. Metadata file from ADFS I have to federate with contains this descriptor. Does this bug affect process of connector automation? As far as I understand it should.

 

Martin

4 Replies

  • I will partially answer myself. BIG-IP started to poll metadata file from configured URL after I restarted service samlidpd.

    tmsh restart /sys service samlidpd

    Anyway. Now I ran into another problem because I get a message "Tag value to create object name is empty" in /var/log/saml_automation.log. Is there any howto documentation with examples how to configure this functionality? I have read this article, but I did not succeed.

  • Ripin's avatar
    Ripin
    Icon for Nimbostratus rankNimbostratus

    Hi Martin, Were you able to solve this issue? I am facing exactly the same issue getting this error "Tag value to create object name is empty."

    • Martin_Šebek's avatar
      Martin_Šebek
      Icon for Altostratus rankAltostratus

      Not yet. But I at least solved this problem with empty Tag value. The problem was that I was using element (tag) which had sub elements with attributes. Once I changed it to an element which does have only value in it the IdP connector is successfully created. But I also had to upgrade to version 15.1.0.2 (in the lab). On version 14 the metadata provided by IdP cannot be imported because of the bug I linked in the original post.

       

      Anyway I have opened SR for IdP automation functionality and will post a result once it is solved. Now the status is that BIG-IP creates IdP connector but does not bind it to a SP service. If binding is done manually it works. But of course the goal is to automate this process.

  • Ripin's avatar
    Ripin
    Icon for Nimbostratus rankNimbostratus

    I didn't get it when you say element which has sub element? which field are you talking about?

     

    However, kind of same thing is happening with as well, it creates a IDP from metadata url if I use value as * for Metadata Tag For IdP Connector Name but doesn't bind this with SP.

    if I use anything else than that then it doesn't even create IDP. I am already on 15.1.0.

     

    I have also opened a SR for this issue, hope we will get some response soon.

     

    May 13 16:59:57 IdP automation /Common/ripin is fetching metadata from url https://"metdataurl"

    Success: Cmd- /usr/bin/md5sum /tmp/xml_meta.xml

    Cur MD5 - [648b0c77eb76ae50cf785d1345e03]

    Prev MD5 - []

    May 13 16:59:58 Tag value to create object name is empty.

    May 13 16:59:58 Deleting IdP object association /Common/MIIDpDCCAoygAwIBAgIGAWaqTH5tMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG_A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0Y_43c4bc8cdefdcd5374303d248b9aa630

    May 13 16:59:58 Deleting SAML IdP connector /Common/MIIDpDCCAoygAwIBAgIGAWaqTH5tMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG_A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0Y_43c4bc8cdefdcd5374303d248b9aa630

    May 13 17:00:55 saml_timer_cb Objname is empty