Manual Chapter : Configuring APM as a SAML IdP for Inline SSO

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.0.0
Manual Chapter

Configuring APM as a SAML IdP for Inline SSO

Overview: Configuring APM as a SAML IdP for inline SSO

You can configure the BIG-IP APM system as a Security Assertion Markup Language (SAML) Identity Provider (IdP) to provide inline single sign-on (SSO) for service providers (SP) not directly reachable by the client.
With SAML inline SSO, users authenticated through APM (configured as a SAML IdP) can access resources outside of the APM webtop. BIG-IP APM also supports SP-initiated multi-domain SAML inline SSO.
In this example, the BIG-IP system is configured in LTM+APM mode. Pool members refer to the SP. You can configure APM as either a SAML IdP or as both a SAML IdP and SP.

Configuring an access profile for SAML inline SSO

To configure SAML inline SSO, you need to create an access profile to support the LTM-APM profile type with single domain SSO.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click
    Create
    .
    The New Profile screen opens.
  3. In the
    Name
    field, type a name for the access profile.
    A access profile name must be unique among all access profile and any per-request policy names.
  4. From the
    Profile Type
    list, select
    LTM-APM
    .
    Additional settings display.
  5. From the
    Profile Scope
    list, select the appropriate scope to grant to users being examined by this policy.
  6. In the SSO Across Authentication Domains (Single Domain mode) area:
    1. Retain default settings for
      Domain Cookie
      (blank) and
      Cookie Options
      (with only the
      Secure
      check box selected).
    2. From
      SSO Configuration
      , select the SSO configuration to apply to the domain.
  7. In the Language Settings area, add and remove accepted languages, and set the default language.
    A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  8. Click
    Finished
    .
    This creates an access profile with a default access policy.
The access profile displays in the Access Profiles List. Default-log-setting is assigned to the access profile.

Creating a virtual server for SAML inline SSO

Before you start this task, configure a client SSL profile and a server SSL profile.
Specify a host virtual server to use as the SAML IdP.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. In the
    Destination Address
    field, type the IP address for a host virtual server.
    This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address.
  5. In the
    Service Port
    field, type
    443
    or select
    HTTPS
    from the list.
  6. For the
    HTTP Profile
    setting, verify that the default HTTP profile,
    http
    , is selected.
  7. For the
    SSL Profile (Client)
    setting, from the
    Available
    list, select the name of the Client SSL profile you previously created and move the name to the
    Selected
    list.
  8. For the
    SSL Profile (Server)
    setting, from the
    Available
    list, select the name of the Server SSL profile you previously created and move the name to the
    Selected
    list.
  9. In the Access Policy area, from the
    Access Profile
    list, select the access profile that you configured earlier.
  10. In the Resources area of the screen, from the
    Default Pool
    list, select the pool containing the service provider IP address.
  11. Click
    Finished
    .
The virtual server for the BIG-IP system configured for SAML inline SSO now appears on the Virtual Server List.

Tasks to complete SAML inline SSO

The steps to finish configuring APM as a SAML Identity Provider (IdP) for SAML inline SSO (or SAML multi-domain inline SSO) are included in the section
Using APM as a SAML IdP (SSO portal)
, which appears in the
SAML Configuration
guide.
  • Configuring an artifact resolution service
  • Configuring SAML SP connectors
  • Configuring a SAML IdP service for one SP connector
  • Binding a SAML IdP service to one SP connector
  • Exporting SAML IdP metadata from APM
  • Configuring a SAML resource and attaching a SAML IdP service
  • Configuring an access policy for a SAML SSO portal
  • Adding IdP metadata from APM to external SAML SPs

Overview: Configuring APM as a SAML IdP for multi-domain inline SSO

You can configure multi-domain inline SAML SSO when multiple service providers (SPs) are located behind different virtual servers. All SPs share a single access profile with SAML assertions generated on request by the Identity Provider (IdP).
A user can connect to any of the SPs protected by the virtual servers in the domain group, and be authenticated by the IdP. Subsequent connections to other SPs within the domain group do not require users to authenticate.

Creating an access profile for SAML multi-domain inline SSO

To configure SAML multi-domain inline SSO, you need to create an access profile to support the LTM-APM profile type with multi-domain SSO.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click
    Create
    .
    The New Profile screen opens.
  3. In the
    Name
    field, type a name for the access profile.
    A access profile name must be unique among all access profile and any per-request policy names.
  4. From the
    Profile Type
    list, select
    LTM-APM
    .
    Additional settings display.
  5. From the
    Profile Scope
    list, select the appropriate scope to grant to users being examined by this policy.
  6. In the Language Settings area, add and remove accepted languages, and set the default language.
    A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  7. Click
    Finished
    .
    This creates an access profile with a default access policy.
  8. From the list, click the name of the access profile you just created.
  9. On the menu bar, click
    SSO/Auth Domains
    .
  10. For the
    Domain Mode
    setting, select
    Multiple Domains
    .
  11. For
    Primary Authentication URI
    , type the URI to the IdP, for example,
    http://idp.domain.com
    .
    Each domain that you configure indicates the domain to which the APM session (established by the primary authentication URI) is bound.
  12. In the Authentication Domain Configuration area, for
    Cookie
    , select
    Host
    or
    Domain
    , and for the host, type the IP address, or for domain, type the fully qualified domain name.
  13. Configure the
    Cookie Options
    .
    The default is
    Secure
    .
    When
    Cookie Scope
    for application virtual servers in a multi-domain SSO is set to
    Domain
    , the BIG-IP system also uses the SSO configuration (IdP object) configured for that domain in the SSO Config attribute, provided that the
    Primary Authentication URI
    is in the same domain.
    When
    Cookie Scope
    for application virtual servers in a multi-domain SSO is set to
    Host
    , the BIG-IP system ignores the SSO Config (IdP object) for that host when processing authentication requests from the internal SP; SAML authentication requests are processed by the primary authentication virtual server hosting the IdP. Instead, IdP objects assigned in the access policy and access profile for the
    Primary Authentication URI
    are applied when processing authentication requests from the internal SP.
  14. From
    SSO Configuration
    , select the configuration that you want to associate with each host or domain.
  15. Click
    Update
    .
The access profile is created and updated for multi-domain inline SSO.

Creating a virtual server for SAMLmulti-domain inline SSO

Before you start this task, configure client and server SSL profiles.
You need to create virtual servers for every domain to support SAML multi-domain inline SSO.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. In the
    Destination Address
    field, type the IP address for a host virtual server.
    This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address.
  5. In the
    Service Port
    field, type
    443
    or select
    HTTPS
    from the list.
  6. For the
    HTTP Profile
    setting, verify that the default HTTP profile,
    http
    , is selected.
  7. For the
    SSL Profile (Client)
    setting, from the
    Available
    list, select the name of the Client SSL profile you previously created and move the name to the
    Selected
    list.
  8. For the
    SSL Profile (Server)
    setting, from the
    Available
    list, select the name of the Server SSL profile you previously created and move the name to the
    Selected
    list.
  9. In the Access Policy area, from the
    Access Profile
    list, select the access profile that you configured earlier.
  10. Click
    Finished
    .
The virtual server is created. You need to create a similar virtual server for any other domains.

Tasks to complete SAML inline SSO

The steps to finish configuring APM as a SAML Identity Provider (IdP) for SAML inline SSO (or SAML multi-domain inline SSO) are included in the section
Using APM as a SAML IdP (SSO portal)
, which appears in the
SAML Configuration
guide.
  • Configuring an artifact resolution service
  • Configuring SAML SP connectors
  • Configuring a SAML IdP service for one SP connector
  • Binding a SAML IdP service to one SP connector
  • Exporting SAML IdP metadata from APM
  • Configuring a SAML resource and attaching a SAML IdP service
  • Configuring an access policy for a SAML SSO portal
  • Adding IdP metadata from APM to external SAML SPs