I am deploying a BigIP IdP SAML virtual server in IdP initiated mode thanks to iApps template f5.saas_idp.v1.0.1rc1 based on instruction from https://www.f5.com/pdf/deployment-guides/saml-idp-saas-dg.pdf
It works well from BigIP wizard but I expect to automate and document deployment thanks to a Ansible playbook
- name: Deploy {{ idp_host }} with f5.saas_idp iApp template
bigip_iapp_service:
name: "saas_idp_{{ idp_host }}"
template: f5.saas_idp.v1.0.1rc1
parameters:
tables:
- name: saas_apps__saas_choice
columnNames:
- app_name
- app_selection
- app_sp
- sp_initiated
rows:
- row:
- "{{ saml_saas_name }}"
- "/#zendesk#"
- "{{ saml_saas_sp }}"
- no # which means "Yes, IdP and SP"
- name: saas_apps__saas_attributes
# Empty
variables:
- name: options__advanced_mode
value: yes
- name: saas_virtual__addr
value: "{{ idp_address }}"
- name: saas_virtual__port
value: 443
- name: idp_encryption__cert
value: /Common/{{ idp_host }}_saml_idp_metadata_cert.crt
- name: idp_encryption__key
value: /Common/{{ idp_host }}_saml_idp_metadata_cert.key
- name: saas_virtual__vlan_listening
value: enabled
- name: saas_virtual__vlan_selections
value: /Common/Internal
- name: saas_virtual__lan_or_wan
value: LAN
- name: saas_virtual__tcp_lan_opt
value: tcp-lan-optimized
- name: saas_virtual__http
value: http
- name: saas_virtual__clientssl
value: /Common/clientssl_wildcard_2017-2020
- name: saas_virtual__chainssl
name: "/#do_not_use#"
- name: apm__apm_policy
value: "/#create_new#"
- name: apm__saml_entity_id_format
value: url
- name: apm__saml_entity_id
value: https://{{ idp_host }}
- name: apm__aaa_profile
value: /Common/AAA_myAD
- name: apm__logging
value: /Common/default-log-setting
force: no
state: present
strict_updates: no
But script fails requiring saas_virtual__key, saas_virtual__cert and saas_virtual__chainssl whereas they are not expected as I provides an existing saas_virtual__clientssl in Advanced mode:
message":"script did not successfully complete: (can't read "::saas_virtual__key": no such variable
while executing
"iapp_conf create $cssl_cmd key $::saas_virtual__key cert $::saas_virtual__cert chain none"
invoked from within
"subst $substa_out"
invoked from within
"if { [info exists [set substa_in]] } {
set substa_out [subst $$substa_in]
set substa_out [subst $substa_out]
} else {
..."
("uplevel" body line 3)
invoked from within
"uplevel {
append ::substa_debug "
$substa_in"
if { [info exists [set substa_in]] } {
set substa_out [subst $$substa_in]
..."
(procedure "iapp_substa" line 9)
invoked from within
"iapp_substa client_ssl_arr($new_client_ssl,$do_chain_cert)"
invoked from within
"iapp_conf create ltm virtual ${app}_vs destination [iapp_destination $::saas_virtual__addr $::saas_virtual__port] ip-protocol tcp profiles replace-..."
Providing these variables does not help, script fails to load because of key password I cannot provide:
Error reading key PEM file /Common/wildcard_2017-2020.key
for profile /Common/saas_idp.app/saas_idp_myidphost_client-
ssl: error:0906A068:PEM routines:PEM_do_header:bad password read
So from my point of view, best option is to get template using my existing clientssl profile. How to proceed ? Is there a way to 'debug' iApps template script, at least inspecting variables ?
I found out where was the trap to avoid - Ansible replaced yes value by True python boolean object before submitting variable - so discarding expected string:
As a result, advanced mode was not enabled and that is why TCL iApps execution tries to create new clientssl profile:
So that iApps template is definitely good... but to ease automation from REST or Ansible, input parameter validation may be improved to submit relevant warning before failing with error message and stack trace.