SAML is a federated authentication technology that allows users to log in to
APM without actually sending credentials. You can use step-up authentication with SAML if you
configure APM as a service provider (SP), and put a SAML Auth agent in a subroutine in a
per-request policy. The policy can then perform step-up authentication, for example, when end
users access different resources. The primary requirement is that the client must be a full web
browser, such as Chromium or Firefox.
When configured, the SAML Auth agent generates authentication requests and
parses assertions from SAML Identity Providers (IdPs). For step-up authentication, SAML Auth is
always part of a subroutine, so subsession timeouts (specified in Subroutine Settings) dictate
The example described in this section shows how to configure step-up
authentication for SAML using APM as a service provider. On receiving a validated SAML assertion
from the Identity Provider, the system creates subsession variables that you can use for
enforcing additional access control and for implementing single sign-on (SSO).
For details on using APM as a SAML Service Provider, refer to
BIG-IP Access Policy
Manager: SAML Configuration