Overview: Using step-up authentication with SAML

SAML is a federated authentication technology that allows users to log in to APM without actually sending credentials. You can use step-up authentication with SAML if you configure APM as a service provider (SP), and put a SAML Auth agent in a subroutine in a per-request policy. The policy can then perform step-up authentication, for example, when end users access different resources. The primary requirement is that the client must be a full web browser, such as Chromium or Firefox.

When configured, the SAML Auth agent generates authentication requests and parses assertions from SAML Identity Providers (IdPs). For step-up authentication, SAML Auth is always part of a subroutine, so subsession timeouts (specified in Subroutine Settings) dictate subsession length.

The example described in this section shows how to configure step-up authentication for SAML using APM as a service provider. On receiving a validated SAML assertion from the Identity Provider, the system creates subsession variables that you can use for enforcing additional access control and for implementing single sign-on (SSO).

For details on using APM as a SAML Service Provider, refer to

BIG-IP Access Policy Manager: SAML Configuration

.