Manual Chapter :
Using APM as a SAML IdP (no SSO portal)
Applies To:
Show Versions
BIG-IP APM
14.1.5,
14.1.4,
14.1.3,
14.1.2,
14.1.0
Using APM as a SAML IdP (no SSO portal)
Overview: Configuring a BIG-IP system as IdP for SP-initiated connections only
A configuration that allows users to initiate connection from service providers
(SPs) only, works only when all service providers require the same assertion type, and value, and
the same attributes from the IdP.
Configuration requirements for supporting SP-initiated connections only
For
Access Policy Manager as a SAML identity provider (IdP) to support only
connections that start at a service provider, you need to meet these configuration requirements:
SAML IdP services: One.
SAML SP connectors: One for each SAML service provider.
SSL certificate and key: One set for each SAML service provider, imported into the store on
the BIG-IP® system.
An access profile.
An access policy.
A virtual server that assigns the access profile.
Configuration requirements are summarized in this diagram.
Configuration requirements for supporting SP-initiated connections
About local IdP
service
A
SAML IdP service
is a type of single
sign-on (SSO) authentication service in Access Policy
Manager (APM). When you use a BIG-IP system as a SAML identity provider (IdP), a SAML IdP service
provides SSO authentication for external SAML service providers (SPs). You must bind a SAML IdP
service to SAML SP connectors, each of which specifies an external SP. APM responds to
authentication requests from the service providers and produces assertions for them.
About SP connectors
A SAML service provider connector (an SP connector) specifies how a BIG-IP® system, configured as a SAML Identity Provider (IdP), connects with an external
service provider.
What are the available ways I can configure a SAML SP connector?
You can use one or more of these methods to configure SAML service provider (SP) connectors in
Access Policy Manager.
From metadata - Obtain a metadata file from the vendor and import it into Access Policy
Manager. The advantage to this method is that the vendor provides the majority of all
required data, including certificates. You can complete the configuration by simply typing a
unique name for the SP connector, a very few additional required fields, and browsing to and
importing the file. Access Policy Manager then configures the SP connector.
From template - Use templates that Access Policy Manager provides for some vendors; for
example, Google. The advantages to this method are that:
Most required data is included in the template
Additional required data is minimal. You can obtain it and certificates from the
vendor
After you select a template and type data into a few fields, Access Policy Manager
configures the SP connector.
Custom - Obtain information from the vendor and type the settings into the Configuration
utility. To use this method, you must also obtain certificates from the vendor and import
them into the BIG-IP® system. Use this method when a metadata file or a
template for an SP connector is not available.
Task summary for configuring APM as a SAML identity provider
Setting up a BIG-IP system as a SAML identity provider (IdP) system
involves two major activities:
First, you set up connection from the BIG-IP system to the external SAML service providers
(SPs)
Then, you set up connection from the external SAML SPs to the BIG-IP system
Task list
Flowchart: Configuration to support SP-initiated connections only
This flowchart illustrates the process for configuring a BIG-IP® system as
a SAML identity provider (IdP) without providing an SSO portal.
Creating a virtual server for a BIG-IP (as SAML IdP) system
Specify a host virtual server to use as the
SAML Identity Provider
(IdP).
On the Main tab, click
Local Traffic
Virtual Servers
.
The Virtual Server List
screen opens.
Click
Create
.
The New Virtual Server screen
opens.
In the
Name
field, type a unique
name for the virtual server.
For the
Destination Address/Mask
setting, confirm that the
Host
button is selected, and type the IP address in CIDR
format.
The supported format is address/prefix,
where the prefix length is in bits. For example, an IPv4 address/prefix is
10.0.0.1
or
10.0.0.0/24
, and
an IPv6 address/prefix is
ffe1::0020/64
or
2001:ed8:77b5:2:10:10:100:42/64
. When you use an IPv4 address
without specifying a prefix, the BIG-IP system automatically uses a
/32
prefix.
The IP address you type must be available and not in
the loopback network.
In the
Service Port
field, type
443
or select
HTTPS
from the
list.
For the
HTTP Profile (Client)
setting, verify that the default HTTP profile,
http
, is selected.
For the
SSL Profile (Client)
setting,
from the
Available
list, select the name of the Client SSL profile you previously created and move
the name to the
Selected
list.
For the
SSL Profile (Server)
setting,
select
pcoip-default-serverssl
.
From the
Source Address Translation
list, select
Auto
Map
.
Click
Finished
.
The virtual server for the BIG-IP system configured as an IdP
now appears on the Virtual Server List. The virtual server destination is available for
use in the SAML IdP service configuration.
Configuring an
artifact resolution service
Before you configure the artifact resolution service (ARS), you need to have configured
a virtual server. That virtual server can be the same as the one used for the SAML
Identity Provider (IdP), or you can create an additional virtual server.
F5
highly recommends that the virtual server definition include a server SSL
profile.
You configure an ARS so that a BIG-IP system that
is configured as a SAML IdP can provide SAML artifacts in place of assertions. With ARS,
the BIG-IP system can receive Artifact Resolve Requests (ARRQ) from service providers,
and provide Artifact Resolve Responses (ARRP) for them.
On the Main tab, click
Access
Federation
SAML Identity
Provider
Artifact Resolution
Services
.
Click
Create
.
The Create New SAML Artifact
Resolution Service popup screen opens, showing general settings.
In the
Name
field, type a name for
the artifact resolution service.
In the
Description
field, type a new
description.
Click
Service Settings.
From the
Virtual Server
list, select
the virtual server that you created previously.
ARS listens on the IP address and port
configured on the virtual server.
In the
Artifact Validity (Seconds)
field, type the number of seconds for which the artifact remains valid. The
default is 60 seconds.
The BIG-IP system deletes the artifact if
the number of seconds exceeds the artifact validity number.
For the
Send Method
setting, select
the binding to use to send the artifact, either
POST
or
Redirect
.
In the
Host
field, type the host
name defined for the virtual server, for example
ars.siterequest.com
.
In the
Port
field, type the port
number defined in the virtual server. The default is
443
.
Click
Security Settings.
To require that artifact resolution messages from
an SP be signed, select the
Sign
Artifact Resolution Request
check box.
To use HTTP Basic authentication for artifact
resolution request messages, in the
User Name
field, type a name
for the artifact resolution service request and in the
Password
field, type a
password.
These credentials must be present in all
Artifact Resolve Requests sent to this ARS.
Click
OK
.
The popup screen closes,
leaving the Artifact Resolution Services list screen open.
The Artifact Resolution Service is ready for use.
Configuring SAML SP
connectors
Before you can configure a SAML service provider, you must first obtain an SSL
certificate from the SAML service provider (SP) and import it into the certificate store
on the BIG-IP system.
You configure information about a SAML service
provider so that Access Policy Manager (APM) can act as a SAML Identity Provider (IdP)
for it.
Configure one SAML SP connector for each external SAML service
provider for which this BIG-IP system provides SSO authentication service.
On the Main tab, click
Access
Federation
SAML Identity
Provider
External SP
Connectors
.
A list of SAML SP connectors
displays.
Click
Create
.
The Create New SAML SP
Connector screen opens.
In the
Service Provider Name
field,
type a unique name for the SAML SP connector.
In the
SP Provider Entity ID
field,
type a unique identifier for the service provider.
This is usually a unique URI that
represents the service provider. You should obtain this value from the service
provider.
From the left pane, select
Endpoint Settings
.
The appropriate settings are
displayed.
In the
Relay State
field, type a
value.
The relay state can be an absolute path,
such as
/hr/index.html
;
it can be a URL, such as
https://www.abc.com/index.html
; or, it can be anything that the
service provider understands. The information passed in relay state could be
used by the service provider according to business logic. For example, some
service providers use relay state to maintain a session state, while others use
it to perform an action, such as redirecting the user to the page passed in
relay state. APM sends the relay state value back to the service provider as
part of the assertion response in the
RelayState
parameter.
When the
RelayState
parameter
is already part of the authentication request to the BIG-IP system, APM
returns the value that was sent in the request. Otherwise, APM uses the
value from this configuration.
In the
Assertion Consumer
Services
area, specify at least one assertion consumer
service.
A service provider can use multiple
bindings to receive an assertion from the Identity Provider. The service
provider can specify a different assertion consumer service (ACS) URL for each
binding, and provide a unique ACS URL index for the binding.
To support SAML artifacts, make sure that at least one ACS
specifies the artifact binding.
Click
Add
.
A new row displays in
the table.
In the
Index
field, type the
index number, zero (0) or greater.
If this is the default service, select the
Default
check box.
You must specify one of the
services as the default.
In the
Location URL
field,
type the URL where the IdP can send an assertion to this service
provider.
APM supports HTTP-Artifact
binding, POAS (HTTP reverse SOAP) binding, and HTTP-POST binding to this
service.
From the
Binding
list, select
Artifact
,
PAOS
, or
POST
.
Click
Update
.
From the left pane, select
Security Settings
.
If the SP should sign the authentication
or the artifact resolution requests that it sends to the SAML IdP (this
BIG-IP system), select the
Require Signed Authentication Request
check box, select
a private key from the
Message Signing Private Key
list, and select a
certificate from the
Message Signing Certificate
list.
This device (BIG-IP system as
IdP) uses the certificate to verify the signature of the request from
the SP.
To require that the SAML IdP sign the
assertion before sending it to the SP, select the
Assertion must be
signed
check box, and select an algorithm from the
Signing
Algorithm
list.
Assertion must be
signed
is selected by default. Clearing this check box
is not recommended.
To require that the SAML IdP sign the
response before sending it to the SP, select the
Response must be
signed
check box.
The algorithm specified in the
Signing Algorithm
list applies to a signed assertion and a signed response.
To require that the SAML IdP encrypt the
assertion before sending it to the SP, select the
Assertion must be
encrypted
check box, select a type from the
Encryption Type
list,
and select a certificate from the
Encryption
Certificate
list.
APM supports AES128, AES192, and
AES256 encryption types.
From the left pane, select
SLO Service Settings
.
SLO stands for Single Logout.
In the
Single Logout Request
URL
field, type a URL specifying where APM should send a
logout request to this service provider when the BIG-IP system initiates
a logout request.
In the
Single Logout Response
URL
field, type a URL provided by the SP, where APM
sends the logout response to the SP.
From the
Single Logout Binding
list, select how
the BIG-IP system sensd a logout request to the service provider.
APM supports HTTP-POST binding for the SLO service.
For SLO to work, all entities (SPs and IdPs), must support SLO.
From the left pane, select
SP Location Settings
.
From the
Service Provider Location
list, select whether the location of the SP is external, internal, or internal multi-domain.
Set
Service Provider
Location
to Internal when configuring APM as a SAML
IdP for inline SSO.
Click
OK
.
The popup screen
closes.
APM creates a SAML SP connector. It is available to bind to a SAML IdP service.
Configuring a SAML
IdP service
Configure a SAML Identity Provider (IdP) service
for the BIG-IP system, configured as a SAML IdP, to provide authentication service for
SAML service providers (SPs).
Configure this
IdP service to meet the requirements of all SAML service providers that you bind
with it.
On the Main tab, click
Access
Federation
SAML Identity
Provider
.
The Local IdP Services screen
opens.
Click
Create
.
The Create New IdP Service
popup screen displays.
In the
IdP Service Name
field, type
a unique name for the SAML IdP service.
The maximum length of a single sign-on configuration, such as the SAML IdP
service, is 225 characters, including the partition name.
In the
IdP Entity ID
field, type a
unique identifier for the IdP (this BIG-IP system).
Typically, the ID is a URI that points to
the BIG-IP virtual server that is going to act as a SAML IdP. If the entity ID
is not a valid URL, the
Host
field is required.
For example, type
https://siterequest.com/idp
,
where the path points to the virtual server you use for BIG-IP system as a SAML
IdP.
If the
IdP Entity ID
field does not
contain a valid URI, you must provide one in the IdP Name Settings area:
From the
Scheme
list select
https
or
http
.
In the
Host
field, type a
host name.
For example, type
siterequest.com
in the
Host
field.
From the
Log Setting
list, select one
of the following options:
Select an existing APM log setting.
Click
Create
to create a new
log setting.
If you select
SAML Profiles
on the left
pane, the
Web Browser
SSO
check box is selected by default.
At least one profile must be selected.
To specify that this IdP use an artifact
resolution service, click
Endpoint
Settings
on the left pane and select a service from the
Artifact Resolution
Service
list.
On the left pane, select
Assertion Settings
and
complete the settings that display:
From the
Assertion Subject
Type
list, select the type of subject for the IdP to
authenticate.
From the
Assertion Subject
Value
list, select the name of a session variable.
This variable,
%{session.logon.last.username}
, is generally applicable.
Some session variables are applicable depending on the type of
authentication that you use for your site.
In the
Authentication Context Class
Reference
field, select a URI reference.
The URI reference identifies an
authentication context class that describes an authentication context
declaration.
In the
Assertion Validity (in
seconds)
field, type the number of seconds for which the
assertion is valid.
To encrypt the subject, select the
Enable encryption of
Subject
check box.
The
Encryption Strength
list becomes available.
From the
Encryption Strength
list, select a value.
Supported values are AES128,
AES192, and AES256.
On the left pane, select
SAML Attributes
, and for each
attribute that you want to include in the attribute statement, repeat these
substeps.
Click
Add
.
A Create New SAML
Attribute popup screen displays.
In the
Name
field, type a
unique name for the attribute.
Usually, the name is a fixed
string, but it can be a session variable.
To add a value to the attribute, click
Add
, type
a value in the
Value(s)
field, and click
Update
to complete
the addition.
You can use a session variable
for the value.
This example shows using a
fixed string for the name and a session variable for the value. Name:
user_telephonenumber
and value:
%{session.ad.last.attr.telephoneNumber}
.
You can repeat this step to add
multiple values for an attribute.
To encrypt the values, select the
Encrypt
check box and select a value from the
Type
list.
Supported values for type are
AES128, AES192, and AES256.
Click
OK
.
The Create New SAML
Attribute popup screen closes.
Click
Security Settings
from the
left pane.
From the
Signing Key
list,
select the key from the BIG-IP system store.
None
is selected by
default.
From the
Signing Certificate
list, select the certificate from the BIG-IP system store.
When selected, the IdP (the
BIG-IP system) publishes this certificate to the service provider so the
service provider can verify the assertion.
None
is selected by
default.
Click
OK
.
The popup screen closes. The
new IdP service appears on the list.
Access Policy Manager (APM) creates a SAML IdP service. It is available to bind to SAML
SP connectors. This service works with external service providers that share the same
requirements for assertion settings and SAML attribute settings.
Binding a SAML IdP service to multiple SP connectors
Select a SAML Identity Provider (IdP) service and
the SAML service provider (SP) connectors that use the service so that this BIG-IP
system can provide authentication (SAML IdP service) to external SAML service providers.
On the Main tab, click
Access
Federation
SAML Identity
Provider
.
The Local IdP Services screen
opens.
Select a SAML IdP service from the list.
A SAML IdP service provides
authentication service.
Click
Bind/Unbind SP
Connectors
.
The screen displays a list of
available SAML SP connectors.
Select only the SAML SP connectors that you want
to use this service.
Click
OK
.
The screen
closes.
The SAML IdP service is bound to the SAML service providers specified in the SAML SP
connectors.
Exporting SAML IdP metadata from APM
You need to convey the SAML Identity Provider (IdP) metadata from Access Policy Manager (APM) to the external service
providers that use the SAML IdP service. Exporting the IdP metadata for a SAML IdP
service to a file provides you with the information that you need to do this.
On the Main tab, click
Access
Federation
SAML Identity
Provider
.
The Local IdP Services screen
opens.
Select a SAML IdP service from the table and click
Export
Metadata
.
A popup screen opens, with
No
selected on the
Sign Metadata
list.
For APM to sign the metadata, perform these steps:
From the
Sign Metadata
list,
select
Yes
.
From the
Signing Key
list,
select a key.
APM uses the key to sign the
metadata.
From the
Signature Verification
Certificate
list, select a certificate.
APM exports the certificate to
the metadata file. The system on which you import the metadata file can
use the certificate to verify the metadata signature.
Select
OK
.
APM downloads an XML
file.
An XML file that contains IdP metadata is available.
Creating an access profile associated with the SAML IdP service
Use this procedure when this BIG-IP system, as a SAML Identity Provider (IdP),
supports service provider-initiated connections only.
On the Main tab, click
Access
Profiles / Policies
.
The Access Profiles (Per-Session Policies) screen opens.
Click
Create
.
The New Profile screen opens.
In the
Name
field, type a name for the access
profile.
A access
profile name must be unique among all access profile and any per-request
policy names.
In the SSO Across Authentication Domains (Single Domain mode) area, from the
SSO Configuration
list, select the name of the local
SAML IdP service.
In the Language Settings area, add and remove accepted languages, and set the
default language.
A browser uses the highest priority accepted language. If no browser language
matches the accepted languages list, the browser uses the default
language.
Click
Finished
.
The access profile displays in the Access Profiles
List. Default-log-setting is assigned to the access profile.
Verifying log settings for the access profile
Confirm that the correct log settings are selected
for the access profile to ensure that events are logged as you intend.
Log settings
are configured in the
Access
Overview
Event Log
Settings
area of the product. They enable and disable logging for access
system and URL request filtering events. Log settings also specify log publishers
that send log messages to specified destinations.
On the Main tab, click
Access
Profiles / Policies
.
The Access Profiles (Per-Session Policies) screen opens.
Click the name of the access profile that you want to edit.
The properties screen opens.
On the menu bar, click
Logs
.
The access profile log settings display.
Move log settings between the
Available
and
Selected
lists.
You can assign up to three log settings that enable access system logging to
an access profile. You can assign additional log settings to an access profile
provided that they enable logging for URl request logging only.
Logging is
disabled when the
Selected
list is
empty.
Click
Update
.
An access profile is in effect when it is assigned to a virtual server.
Configuring an
access policy to provide authentication from the local IdP
Configure an access policy so that this BIG-IP
system, as a SAML Identity Provider (IdP) can provide authentication for SAML service
providers.
On the Main tab, click
Access
Profiles / Policies
.
The Access Profiles (Per-Session Policies) screen opens.
In the Per-Session Policy column, click the
Edit
link
for the access profile you want to configure.
The visual policy editor opens the access policy in a separate
screen.
Click the
(+)
icon anywhere in the access policy to add
a new item.
Only an
applicable subset of access policy items is available for selection in the
visual policy editor for any access profile type.
A popup screen opens, listing predefined actions on tabs such as General
Purpose, Authentication, and so on.
On the Logon tab, select
Logon Page
and click the
Add Item
button.
The Logon Page Agent properties screen opens.
Make any changes that you require to the logon page properties and click
Save
.
The properties screen closes and the policy displays.
Add one or more authentication checks on the fallback branch after the
Logon Page
action.
Select the authentication checks that are appropriate for application access
at your site.
Add any other branches and actions that you need to complete the policy.
Change the Successful rule branch from
Deny
to
Allow
, and then click the
Save
button.
Click the
Apply Access Policy
link to apply and activate
the changes to the policy.
Click the
Close
button to close the visual policy
editor.
You have an access policy that presents a logon page and authenticates the user..
Access policy
to provide authentication for SAML service providers when this BIG-IP system is the
IdP
To apply this access policy to network
traffic, add the access profile to a virtual server.
To ensure that logging is configured to meet your
requirements, verify the log settings for the access profile.
Adding the access profile to the virtual server
You associate the access profile with the virtual server so that the system can apply the profile to incoming traffic.
On the Main tab, click
Local Traffic
Virtual Servers
.
The Virtual Server List
screen opens.
Click the name of the virtual server you want to
modify.
In the Access Policy area, from the
Access Profile
list, select
the access profile that you configured earlier.
Click
Update
to save the
changes.
Adding IdP metadata
from APM to external SAML SPs
To complete the agreement between Access Policy
Manager as the SAML IdP and a SAML Service Provider (SP), you must configure IdP
metadata at the service provider.
Complete this
step on each SAML service provider for which an SP connector is bound to the SAML
IdP service in APM.
Using the method that the vendor provides,
either:
Import the SAML IdP metadata file that you
exported from APM for the SAML IdP service that this service provider
uses.
Or take information from the SAML IdP
metadata file that you exported from APM for the SAML IdP service and add it
to the service provider using the vendor's interface. Pay particular
attention to the values for entityID, AssertionConsumerService,
SingleSignOnService, and the certificate.
Regardless of the value of entityID in the metadata file, type an SSO
URI that consists of the virtual server host and
/saml/idp/profile/redirectorpost/sso. For example, if the host virtual
server is https://Bigip-idp, type:
