Forum Discussion

boneyard's avatar
Aug 30, 2013

SAML issue with SimpleSAMLphp as IdP, BIG-IP as SP

have been trying to get SAML working, simpleSAMLphp as IdP and BIG-IP as SP. i believe it works up to the point where the IdP sends its auth succesfull data to the SP, once recieved by the SP i get this error:

SAML Agent: /Common/saml_act_saml_auth_ag failed to parse assertion, error: Canonicalization of SignedInfo

not sure how to continue from there, so many options and so little information on their exact effect.

i built the setup as follows, virtual server with access profile with just start --> SAML auth --> Allow, BIGIP as SP profile with an IdP connection based on uri /, created IdP connection based on metadata from IdP. turned off as many signed and secure options as possible, just testing now, will add later on.

anyone here that has setup BIG-IP as SP succesfully with SimpleSAMLphp? can you share some experience?

7 Replies

  • perhaps the combination is not that common, but is the general setup of a normal virtual server with a pool towards some webserver with an APM profile with SAML auth the acceptable setup for SAML? i expect to gain access after the IdP allows me and posts that to the virtual server i tried to access at first.
  • Currently, i did successfully in setup BIG-IP as SP and also as IdP but some application you can't use connection base on uri / (example Exchange was /owa/ ..) .. Working well with SAML SP and IdP.
  • where exactly can't you use that /uri then? you mean do SAML for only /uri and not / ?
  • Can you provide more configuration information? Without knowing more it is difficult to make a guess at an answer.
  • thanks but i really wouldn't know what to provide configuration wise, i used the default, so configuration of the SP on the BIG-IP isn't much more then making up an ID, importing the meta data from the IdP and making a connection. support: "This message is seen when BIG-IP is configured as SAML service provider (SP) and it does not authenticate if SAML assertion and SAML response are both signed. Authentication will fail. This issue has already been identified as BZ 396735 which is fixed in Eng HF for v11.3 and in v11.4 HF3." F5 support believes i encountered a bug and advise to update to 11.4 SP3, planning to do that this week and will report back.