Manual Chapter : Introducing Access Policy Manager SAML Support

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter

Introducing Access Policy Manager SAML Support

About SAML

Security Assertion Markup Language (SAML) defines a common XML framework for creating, requesting, and exchanging authentication and authorization data among entities known as Identity Providers (IdPs) and Service Providers (SPs). This exchange enables single sign-on among such entities.
  • IdP (Identity Provider)
    is a system or administrative domain that asserts information about a subject. The information that an IdP asserts pertains to authentication, attributes, and authorization. An assertion is a claim that an IdP makes about a subject.
  • Service Provider
    is a system or administrative domain that relies on information provided by an IdP. Based on an assertion from an IdP, a service provider grants or denies access to protected services.
In simple terms, an IdP is a claims producer and a service provider is a claims consumer. An IdP produces assertions about users, attesting to their identities. Service providers consume and validate assertions before providing access to resources.
SAML 2.0 is an OASIS open standard. The SAML core specification defines the structure and content of assertions. For the SAML 2.0 features that Access Policy Manager) APM) supports, see solution article
sol16497
on the AskF5 web site located at
http://support.f5.com/
.

SAML metadata

SAML metadata specifies how configuration information is defined and shared between two communicating entities: a SAML Identity Provider (IdP) and a SAML service provider. Service provider metadata provides information about service provider requirements, such as whether the service provider requires a signed assertion, the protocol binding support for endpoints (AssertionConsumerService) and which certificates and keys to use for signing and encryption. IdP metadata provides information about IdP requirements, such as the protocol binding support for endpoints (SingleSignOnService), and which certificate to use for signing and encryption.

SAML single logout service

Single logout (SLO) service is a way to allow a user to terminate all sessions in an automatic manner without user intervention. A SAML Identity Provider (IdP) or the SAML service provider (SP) can initiate logout. The SAML IdP coordinates all logouts. When a SAML SP initiates a logout it contacts the SAML IdP to carry out the coordinated logout on its behalf.
Access Policy Manager (APM®) supports SLO when all participating entities (SAML SPs and IdPs) support SLO. APM supports HTTP-POST binding for SLO messages.

SAML artifact resolution protocol

SAML artifact resolution protocol provides a mechanism by which a service provider (SP) can obtain a SAML assertion from an Identity Provider (IdP) by reference. Instead of binding an assertion to a transport protocol, an IdP sends a small piece of data (known as an artifact) using either HTTP POST or HTTP Redirect bindings. An SP can then use artifact resolution protocol with the SOAP binding protocol to resolve the artifact into the original assertion.
Although the SAML 2.0 specification supports using an artifact in place of any SAML message (request or response), the BIG-IP system supports using artifacts for assertions only.
When BIG-IP is configured as a SAML IdP, an artifact resolution service on the BIG-IP system can process artifact resolution requests and artifact resolution responses.
When BIG-IP is configured as a SAML SP, it can send the artifacts it receives to a URL that the IdP specifies for resolving artifacts into assertions.

Benefits of using APM for SAML support

Access Policy Manager as a SAML Identity Provider (IdP)
When you use Access Policy Manager(APM) as a SAML IdP, APM can authenticate and generate assertions for a user who can then gain access to resources protected by SAML. APM provides SAML assertions (claims) that service providers verify and consume. In this role, APM acts as an authentication server and provides single sign-on to service provider resources.
Access Policy Manager as a SAML Service Provider (SP)
When you use APM as a SAML service provider, APM consumes SAML assertions (claims) and validates their trustworthiness. After successfully verifying the assertion, APM creates session variables from the assertion contents. In an access policy, you can use these session variables to finely control access to resources and to determine which ACLs to assign. Based on the values of session variables, you can create multiple branches in the policy, assigning different resources and different ACLs on each branch. When it runs, the access policy follows a branch depending on the values of session variables.
Federation
APM systems operate with one another when one APM system is configured as an IdP and other APM systems are configured as service providers. This allows a user to authenticate with one APM acting as an IdP, and then use any number of APM systems, serving as service providers, without having to re-authenticate.
Metadata import and export
You can simplify SAML configuration using metadata files. When you use APM as an IdP, you can configure a SAML service provider by importing a metadata file that you obtain from the vendor. Similarly, when you use APM as a service provider, you can configure an IdP by importing a metadata file that you obtain from the vendor. You can export the metadata for APM as a SAML IdP from APM and import the metadata file into a service provider (or use information from the metadata file to configure the service provider). You can export the metadata for APM as a SAML service provider from APM and import the metadata file into an IdP (or use information from the metadata file to configure the IdP).
Templates
APM provides a few templates that you can use to create service provider connectors, and a few that you can use to create IdP connectors with a minimal amount of typing.
Custom service providers and custom IdPs
In addition to configuring service provider connectors or an IdP connector from vendor metadata files or APM templates, you can configure custom service provider and IdP connectors.
IdP-initiated and service provider-initiated client connections
Access Policy Manager supports client connections that initiate at the IdP or at the service provider.
Signed assertions
By default, APM produces signed assertions. An assertion signed by the asserting party (the IdP) supports assertion integrity, authentication of the asserting party to a SAML relying party (a service provider), and, if the signature is based on the SAML authority’s public-private key pair, non-repudiation of origin.
Encrypted assertions
For increased security, APM can optionally encrypt the entire assertion. APM supports encryption methods AES128, AES192, and AES256.
Support for SAML profiles
APM supports the Web Browser SSO profile with HTTP redirect and HTTP POST bindings. APM also supports Enhanced Client or Proxy Profile (ECP).

Support for Microsoft Office 365 as a SAML service provider

APM supports Microsoft Office 365 as a SAML service provider (SP). The BIG-IP system, configured as a SAML Identity Provider (IdP), supports the Enhanced Client or Proxy Profile (ECP) SAML profile. APM includes a predefined external service provider connector for Office 365. The SP connector supports assertion consumer services with PAOS (HTTP reverse SOAP) and POST bindings.

When should I configure a BIG-IP system as a SAML IdP?

Configure a BIG-IP system as a SAML identity provider (IdP) when you have one BIG-IP system and you want it to provide single sign-on authentication service for a group of external SAML service providers.

When should I configure a BIG-IP system as a SAML service provider?

Configure a BIG-IP system as a SAML service provider when you have one BIG-IP system and you want it to protect services that are behind it, and direct users to an external SAML identity provider for authentication.

Overview: Exchanging certificates among SAML entities

For security purposes, each SAML service provider (SP) should have a certificate from the SAML Identity Provider (IdP) that manages identities for it; each IdP should have certificates from the SPs for which it manages identities.

Certificates on the BIG-IP system

Metadata normally includes a certificate. When you import metadata into a BIG-IP system from an external SP or an external IdP, the certificate that was included in the metadata is stored on the BIG-IP system. When you configure security-related settings on the BIG-IP system, you select certificates from the store.
If you do not have metadata that you can import from external SPs or IdPs, then you need to do one of the following:
  • Get certificate files that you can import from the external systems into the BIG-IP system.
  • Get certificate information from each external system that you can then paste into a user interface to create certificate files for them on the BIG-IP system.

BIG-IP system certificates on external systems

To get a certificate from the BIG-IP system, you can export it. You can potentially also get a certificate from a BIG-IP system by exporting SAML metadata for use on the external system.
When you export metadata from a BIG-IP system, it includes a certificate. However, when an external system requires signed metadata, the external system must already have a certificate from the BIG-IP system to validate the metadata.

Importing an SSL certificate

Before you can perform this procedure, an SSL certificate must be available.
A BIG-IP system requires a certificate from an external SAML service provider (SP) when the BIG-IP system is configured as a SAML Identity Provider (IdP) and must verify a signed authentication request from the SP. A BIG-IP system requires a certificate from an external IdP when the BIG-IP system is configured as an SP and must verify a signed authentication request from the IdP.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    .
    The Traffic Certificate Management screen opens.
  2. Click the
    Import
    button.
  3. From the
    Import Type
    list, select
    Certificate
    .
  4. For the
    Certificate Name
    setting:
    • If you are importing a new certificate, select
      Create New
      and type a unique name in the field.
    • If you are replacing an existing certificate, select
      Overwrite Existing
      and select a certificate name from the list.
  5. For the
    Certificate Source
    setting, select
    Upload File
    and browse to select the certificate you obtained from the vendor.
  6. Click
    Import
    .
The SSL certificate for the vendor is installed.

Exporting a digital certificate

You export a digital certificate when you configure a BIG-IP system for SAML and you need a certificate from the BIG-IP system on an external SAML system.
  1. On the Main tab, click
    System
    Certificate Management
    Traffic Certificate Management
    .
    The Traffic Certificate Management screen opens.
  2. Click the name of the certificate you want to export.
    The General Properties screen displays.
  3. Click
    Export
    .
    The Certificate Export screen displays the contents of the certificate in the
    Certificate Text
    box.
  4. To obtain the certificate, do one of the following:
    • Copy the text from the
      Certificate Text
      field, and paste it as needed into an interface on another system.
    • At the
      Certificate File
      option, click
      Download filename
      where the filename is the name of the certificate file, such as
      mycert.crt
      .