Manual Chapter :
Configuring APM as a SAML IdP for Inline SSO
Applies To:
Show Versions
BIG-IP APM
- 15.1.2, 15.1.0
Configuring APM as a SAML IdP for Inline SSO
Overview: Configuring APM as a SAML IdP for inline SSO
You can configure the BIG-IP APM system as a Security Assertion Markup Language (SAML) Identity
Provider (IdP) to provide inline single sign-on (SSO) for service providers (SP) not directly
reachable by the client.
With SAML inline SSO, users authenticated through APM (configured as a SAML IdP) can access
resources outside of the APM webtop. BIG-IP APM also supports SP-initiated multi-domain SAML
inline SSO.
In this example, the BIG-IP system is configured in LTM+APM mode. Pool members refer to the SP.
You can configure APM as either a SAML IdP or as both a SAML IdP and SP.
Configuring an access profile for SAML inline SSO
To configure SAML inline SSO, you need to create an access profile to support the
LTM-APM profile type with single domain SSO.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- ClickCreate.The New Profile screen opens.
- In theNamefield, type a name for the access profile.A access profile name must be unique among all access profile and any per-request policy names.
- From theProfile Typelist, selectLTM-APM.Additional settings display.
- From theProfile Scopelist, select the appropriate scope to grant to users being examined by this policy.
- In the SSO Across Authentication Domains (Single Domain mode) area:
- Retain default settings forDomain Cookie(blank) andCookie Options(with only theSecurecheck box selected).
- FromSSO Configuration, select the SSO configuration to apply to the domain.
- In the Language Settings area, add and remove accepted languages, and set the default language.A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
- ClickFinished.This creates an access profile with a default access policy.
The access
profile displays in the Access Profiles List. Default-log-setting is assigned to the
access profile.
Creating a virtual server for SAML inline SSO
Before you start this task, configure a client SSL profile and a server SSL
profile.
Specify a host virtual server to use as the SAML
IdP.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- For theDestination Address/Masksetting, confirm that theHostbutton is selected, and type the IP address in CIDR format.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.The IP address you type must be available and not in the loopback network.
- In theService Portfield, type443or selectHTTPSfrom the list.
- For theHTTP Profile (Client)setting, verify that the default HTTP profile,http, is selected.
- For theSSL Profile (Client)setting, from theAvailablelist, select the name of the Client SSL profile you previously created and move the name to theSelectedlist.
- For theSSL Profile (Server)setting, from theAvailablelist, select the name of the Server SSL profile you previously created and move the name to theSelectedlist.
- In the Access Policy area, from theAccess Profilelist, select the access profile that you configured earlier.
- In the Resources area of the screen, from theDefault Poollist, select the pool containing the service provider IP address.
- ClickFinished.
The virtual server for the BIG-IP system configured for SAML inline SSO now appears on
the Virtual Server List.
Tasks to complete SAML inline SSO
The steps to finish configuring APM as a SAML Identity Provider (IdP) for
SAML inline SSO (or SAML multi-domain inline SSO) are included in the section
Using APM as a SAML IdP (SSO portal)
, which appears in the SAML Configuration
guide.- Configuring an artifact resolution service
- Configuring SAML SP connectors
- Configuring a SAML IdP service for one SP connector
- Binding a SAML IdP service to one SP connector
- Exporting SAML IdP metadata from APM
- Configuring a SAML resource and attaching a SAML IdP service
- Configuring an access policy for a SAML SSO portal
- Adding IdP metadata from APM to external SAML SPs
Overview: Configuring APM as a SAML IdP for multi-domain inline
SSO
You can configure multi-domain inline SAML SSO when multiple service providers (SPs) are
located behind different virtual servers. All SPs share a single access profile with SAML
assertions generated on request by the Identity Provider (IdP).
A user can connect to any of the SPs protected by the virtual servers in the domain group, and
be authenticated by the IdP. Subsequent connections to other SPs within the domain group do not
require users to authenticate.
As a result, inline SAML SSO with multi-domain deployment behaves as follows:
- IdP objects assigned in a multi-domain access policy (either in a Resource Assign agent or in an advanced Resource Assign Agent) are applied to requests from all authentication domains.
- When the Cookie Scope for the application virtual in the multi-domain SSO is set to Domain, the system also uses the SSO configuration (IdP object) created for that domain in the SSO Config attribute, provided the primary authentication URI is in the same domain.
- When the Cookie Scope for the application virtual in the multi-domain SSO is set to Host, the system ignores the SSO Config created for that host when processing authentication requests from an internal SP. This is because SAML authentication requests are processed by the primary authentication virtual hosting the IdP. Instead, IdP objects assigned in an access policy for primary authentication URI will be applied when processing authentication request from internal SP.e
Creating an access profile for SAML multi-domain inline
SSO
To configure SAML multi-domain inline SSO, you need to create an access profile to
support the LTM-APM profile type with multi-domain SSO.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- ClickCreate.The New Profile screen opens.
- In theNamefield, type a name for the access profile.A access profile name must be unique among all access profile and any per-request policy names.
- From theProfile Typelist, selectLTM-APM.Additional settings display.
- From theProfile Scopelist, select the appropriate scope to grant to users being examined by this policy.
- In the Language Settings area, add and remove accepted languages, and set the default language.A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
- ClickFinished.This creates an access profile with a default access policy.
- From the list, click the name of the access profile you just created.
- On the menu bar, clickSSO/Auth Domains.
- For theDomain Modesetting, selectMultiple Domains.
- ForPrimary Authentication URI, type the URI to the IdP, for example,http://idp.domain.com.Each domain that you configure indicates the domain to which the APM session (established by the primary authentication URI) is bound.
- In the Authentication Domain Configuration area, forCookie, selectHostorDomain, and for the host, type the IP address, or for domain, type the fully qualified domain name.
- Configure theCookie Options.The default isSecure.WhenCookie Scopefor application virtual servers in a multi-domain SSO is set toDomain, the BIG-IP system also uses the SSO configuration (IdP object) configured for that domain in the SSO Config attribute, provided that thePrimary Authentication URIis in the same domain.WhenCookie Scopefor application virtual servers in a multi-domain SSO is set toHost, the BIG-IP system ignores the SSO Config (IdP object) for that host when processing authentication requests from the internal SP; SAML authentication requests are processed by the primary authentication virtual server hosting the IdP. Instead, IdP objects assigned in the access policy and access profile for thePrimary Authentication URIare applied when processing authentication requests from the internal SP.
- FromSSO Configuration, select the configuration that you want to associate with each host or domain.
- ClickUpdate.
The access profile is created and updated for multi-domain inline SSO.
Creating a virtual server for SAMLmulti-domain inline SSO
Before you start this task, configure client and server SSL profiles.
You need to create virtual servers for every
domain to support SAML multi-domain inline SSO.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- For theDestination Address/Masksetting, confirm that theHostbutton is selected, and type the IP address in CIDR format.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.The IP address you type must be available and not in the loopback network.
- In theService Portfield, type443or selectHTTPSfrom the list.
- For theHTTP Profile (Client)setting, verify that the default HTTP profile,http, is selected.
- For theSSL Profile (Client)setting, from theAvailablelist, select the name of the Client SSL profile you previously created and move the name to theSelectedlist.
- For theSSL Profile (Server)setting, from theAvailablelist, select the name of the Server SSL profile you previously created and move the name to theSelectedlist.
- In the Access Policy area, from theAccess Profilelist, select the access profile that you configured earlier.
- ClickFinished.
The virtual server is created. You need to create a similar virtual server for any
other domains.
Tasks to complete SAML inline SSO
The steps to finish configuring APM as a SAML Identity Provider (IdP) for
SAML inline SSO (or SAML multi-domain inline SSO) are included in the section
Using APM as a SAML IdP (SSO portal)
, which appears in the SAML Configuration
guide.- Configuring an artifact resolution service
- Configuring SAML SP connectors
- Configuring a SAML IdP service for one SP connector
- Binding a SAML IdP service to one SP connector
- Exporting SAML IdP metadata from APM
- Configuring a SAML resource and attaching a SAML IdP service
- Configuring an access policy for a SAML SSO portal
- Adding IdP metadata from APM to external SAML SPs