Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

SAML IdP is redirecting to the incorrect hostname

 

Information

 

Summary:

This article will discuss how to arrive at the proper hostname after SAML authentication.

Environment:

Product: LoadMaster

Version: Any

Platform: Any

Application: Any

Question/Problem Description:

We have an internal service (browser application). That service uses (public) MS AzureAD SAML for authentication. The Service Provider Identity is the internal FQDN of this service.

We want to implement a virtual service on the LoadMaster that enables public users to access this internal service including the existing SAML authentication. If possible we want the KEMP to authenticate via SAML before the request is forwarded to the real server where it is authenticated again.

We configured a public DNS name for the internal service and pointed that to a public IP which is then NATed to the IP of our LoadMaster.
We created a virtual service on the LoadMaster and also added client side SSO configuration for SAML.
In the end we managed to let the request hit the LoadMaster and being authenticated. But then the browser is redirected to the internal FQDN of our service. I believe this is because the SAML config for the application has the internal FQDN set as SP Identity.

Do you have any hints for such a scenario? Can we somehow work around this?

Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  
Cause: This is caused when the SP Entity ID field within the SAML SSO on the LoadMaster does not match the client's request.
Resolution:

Navigate to Virtual Services > Manage SSO > modify the desired SSO > populate the FQDN the client is browsing to in the SP Entity ID field > click Set SP Entity ID. This should have the format of https://<PublicFQDN>/ or http://<PublicFQDN>/, respectively.

SSO.png

The user will be redirected to the value of the SP entity ID field.

Workaround: Have the user browse to the internal FQDN.
Notes:  

Was this article helpful?
0 out of 0 found this helpful

Comments