Juniper SSL and BIG-IP APM SAML Interoperability

Probably my least favourite thing I’ve been ‘privileged’ to work on this year has been SAML federation. With a view of replacing our Juniper IVE’s which act as just SSL VPN gateways, I’ve been looking at the alternatives which offer more functionality in the way of load balancing, application delivery, and security features (ie SQL injection protection, form sanitisation etc). Our company users SAML federation on the Juniper’s currently so any proposed replacement would need to do this too. The BIG-IP APM product and the Citrix Netscalers both boast a feature set which includes both the SSL VPN functionality as well as the aforementioned additional features.

While I have a pretty good understanding of SAML and the roles of the IDP and SP systems, it seems the variances with how each vendor implements these roles is enough to cause a bit of a head ache. Even though the Juniper and F5’s have a seemingly intuitive approach to settings these up, it’s still not that easy to get them working together. Metadata files are supposed to make the exchange of this configuration between platforms easy, It should just be a matter exporting/importing these on each of the SP/IDP systems, exchanging SSL certificates, and configuring the resources to be accessed. In a short amount of time, I’ve managed to hit three errors:

The following were caused by mismatched certificates:

Oct 15 14:48:30 xxxapmt01v err apd[20059]: 01490204:3: 9a52b00c: SAML Agent: /Common/APM_POC_act_saml_auth_ag failed to process signed assertion, error: IdP certificate mismatch
Oct 15 15:05:57 xxxtapmt01v err apd[20059]: 0149020a:3: 7d4f8750: SAML Agent: /Common/APM_POC_act_saml_auth_ag SAML assertion is invalid, error: AuthenticationStatement must have AuthnInstant attribute

This is the error I’m currently stuck on:

Oct 15 14:59:38 xxxapmt01v err apd[20059]: 01490203:3: 2862ad79: SAML Agent: /Common/APM_POC_act_saml_auth_ag failed to parse assertion, error: Response is not encrypted

The juniper is active as the IDP and I’m not sure why it’d be sending unencrypted assertions, I have the same system working with other SP’s so I think it’s more likely to be on the APM (SP).

I’ve followed these guides to a tee:

Configuring Juniper as IDP

Configuring F5 APM as SP

Drop me a line if you have any experience with the errors please!

-Update 1- 11.4.0 This is fixed in HF4.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.