Manual Chapter : About SAML Auth

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.0.1, 15.0.0
Manual Chapter

About SAML Auth

The SAML Auth action authenticates against an external SAML Identity Provider (IdP). This action is for use when the BIG-IP® system is configured as a SAML service provider and supports connections initiated at SAML service providers.
The SAML Auth action provides this configuration element:
AAA server
Specifies a local SP service that is associated with a SAML IdP. The local SP service configuration uniquely identifies the SP and specifies its security requirements..
IdPs are specified in SAML IdP connector configurations.
Attribute Consuming Service
Specifies the name of one of the attribute consuming service associated with the server. The index associated with the selected attribute consuming service is included in the SAML authentication request generated. The identity provider maps the index to the list of attributes derived from the metadata previously shared and returns those attributes in the SAML response. For example, the SP may include an Attribute Consuming Index in a SAML request to get the attributes of an authenticated user.
Force Authentication
Allows the SP to include the ForceAuthn flag in an Authentication request at runtime. The options are:
  • Enable
    - Overrides the Service Provider Force Authentication setting and always adds
    ForceAuthn=true
    to the Authentication request. Uses the Force Authentication setting on the Service Provider (
    Access
    Federation
    SAML Service Provider
    ).
  • Disable
    - Overrides the Service Provider Force Authentication setting and always adds
    ForceAuthn=false
    to the Authentication request.
  • Use AAA server setting (the default)
    - Uses the same Force Authentication setting as the Service Provider (
    Access
    Federation
    SAML Service Provider
    ).
  • Session variable setting
    - Specifies that you want to use a session variable to control the ForceAuthn flag included in the Authentication request.
Force Authentication Session Variable
When Force Authentication is set to
Session variable setting
, specifies a session variable that controls the value of the ForceAuthn flag included in the Authentication request, as follows.
  • If the session variable resolves to 1 at runtime, APM adds
    ForceAuthn=true
    to the Authentication request overriding the Force Authentication setting on the Service Provider.
  • If the session variable resolves to 0 at runtime, APM adds
    ForceAuthn=false
    to the Authentication request overriding overriding the Force Authentication setting on the Service Provider.
  • If the session variable is not found at runtime or resolves to a value other than 1 or 0, then the Force Authentication setting on the Service Provider controls the behavior of the ForceAuthn flag included in the Authentication request.