Manual Chapter :
About SAML Auth
Applies To:
Show Versions
BIG-IP APM
- 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
About SAML Auth
The SAML Auth action authenticates against an external SAML Identity Provider (IdP). This action is for use when the BIG-IP system is configured as a SAML service provider and supports connections initiated at SAML service providers.
The SAML Auth action provides this configuration element:
- AAA server
- Specifies a local SP service that is associated with a SAML IdP. The local SP service configuration uniquely identifies the SP and specifies its security requirements..IdPs are specified in SAML IdP connector configurations.
- Attribute Consuming Service
- Specifies the name of one of the attribute consuming service associated with the server. The index associated with the selected attribute consuming service is included in the SAML authentication request generated. The identity provider maps the index to the list of attributes derived from the metadata previously shared and returns those attributes in the SAML response. For example, the SP may include an Attribute Consuming Index in a SAML request to get the attributes of an authenticated user.
- Force Authentication
- Allows the SP to include the ForceAuthn flag in an Authentication request at runtime. The options are:
- Enable- Overrides the Service Provider Force Authentication setting and always addsForceAuthn=trueto the Authentication request. Uses the Force Authentication setting on the Service Provider ( ).
- Disable- Overrides the Service Provider Force Authentication setting and always addsForceAuthn=falseto the Authentication request.
- Use AAA server setting (the default)- Uses the same Force Authentication setting as the Service Provider ( ).
- Session variable setting- Specifies that you want to use a session variable to control the ForceAuthn flag included in the Authentication request.
- Force Authentication Session Variable
- When Force Authentication is set toSession variable setting, specifies a session variable that controls the value of the ForceAuthn flag included in the Authentication request, as follows.
- If the session variable resolves to 1 at runtime, APM addsForceAuthn=trueto the Authentication request overriding the Force Authentication setting on the Service Provider.
- If the session variable resolves to 0 at runtime, APM addsForceAuthn=falseto the Authentication request overriding overriding the Force Authentication setting on the Service Provider.
- If the session variable is not found at runtime or resolves to a value other than 1 or 0, then the Force Authentication setting on the Service Provider controls the behavior of the ForceAuthn flag included in the Authentication request.