Manual Chapter : Using BIG-IP IdP Automation
Applies To:Show Versions
- 15.0.1, 15.0.0
Using BIG-IP IdP Automation
Overview: Automating SAML IdP connector creation
When a BIG-IP system is configured as a SAML service provider (SP), you can use SAML identity provider (IdP) automation to automatically create new SAML IdP connectors for SP services. Access Policy Manager (APM®) polls a file or files that you supply; the files must contain cumulative IdP metadata. After polling, APM creates IdP connectors for any new IdPs and associates them with a specified SP service. APM uses matching criteria that you supply to send the user to the correct IdP.
When would I use SAML IdP automation?
Here is an example in which SAML Identity Provider (IdP) automation is especially useful. A large service provider (SP) supports a number of SAML identity providers. The service provider defines a SAML SP service on Access Policy Manager (APM®) for access to that service. As IdPs come online, the service provider collects metadata from them and aggregates the IdP metadata into a file.
The process for collecting and aggregating IdP metadata into a file is up to the service provider.
APM polls the metadata file, creates IdP connectors, associates new connectors to the specified SAML SP service, and ensures that clients performing SP-initiated access are sent to the correct IdP.
Automating IdP connector creation for a BIG-IP system as SP
To create a BIG-IP Identity Provider (IdP) automation configuration, you need a BIG-IP system that is configured to function as a SAML service provider (SP) and you need to have SAML SP services defined.
You create a connector automation configuration to automatically create SAML IdP connectors and bind them to an SP service based on cumulative IdP metadata you maintain in a file or files. You specify matching criteria in connector automation for APM to use, in order to send a user to the correct IdP.
- On the Main tab, click.The Connector Automation screen opens and displays a table. Each row includes a configuration name, the URLs where IdP metadata files are stored for a particular SP service, and the name of the SP service to which automation applies.
- ClickCreate.The Create New SAML IdP Automation popup screen opens.
- In theNamefield, type a name for the IdP automation configuration.
- For theSP Servicesetting, select a service from the list.If the SP service you want has not already been defined, clickCreateto configure it and add it to the list.APM periodically creates SAML IdP connectors and binds them to the SP service you specify here.
- From theIdP Matching Sourcelist, select or type the name of a session variable.At the time of SP-initiated SAML single sign-on, APM (as a SAML SP) matches the value of this session variable to the value in the tag that you specify in theMetadata Tag Match Valuefield.
- In theMetadata Tag Match Valuefield, type the name of a metadata tag.APM extracts the value in this tag from the IdP metadata and matches it with the value of the session variable specified in theIdP Matching Sourcefield.Do not include any wildcard in the value.
- In theMetadata Tag For IdP Connector Namefield, type the name of a tag that is included in the IdP metadata.APM uses the value in the tag to name the IdP connector that it creates.
- In theFrequencyfield, type a number of minutes.This specifies how often APM polls IdP metadata files.
- SelectMetadata URLsfrom the left pane.You specify URLs for one or more cumulative metadata files located on remote systems.A URL table displays in the right pane.
- Specify a URL for each SAML IdP metadata file to be read. To add each URL, follow these steps:
- ClickAdd.A new field opens in the URL table.
- Type a URL.Begin the URL withhttporhttps.For example, typehttps://mywebsite.com/metdata/idp/idp_metadata.xml.
- ClickUpdate.The new URL displays in the top row of the table.
- ClickOK.The Create SAML IdP Automation screen closes. The new automation displays in the list.
For IdP automation to work, you must provide the metadata files as specified in the metadata URLs.