Manual Chapter : About the SAML step-up authentication example

Applies To:

Show Versions Show Versions


  • 16.0.1, 16.0.0
Manual Chapter

About the SAML step-up authentication example

Here we show you the steps to use SAML step-up authentication by performing actions in both a per-session policy and a per-request policy. The example shows policies that protect an enterprise organization or cloud where users gain access by logging in to the corporate network then require additional authentication to get to certain restricted areas:
  • The company has a publicly accessible information portal -
  • All users must authenticate with a Windows directory server for general access and the information portal
  • The portal has links to a URI path that requires additional authentication
The per-session policy presents a logon page and authenticates users attempting to access resources behind a virtual server. Once the user is successfully authenticated, the per-request policy performs URL branching to allow access to all resources except those having
in the URL. Users wanting to access sensitive information require SAML authentication, which is performed in a subroutine.
To develop such a policy, you need the following:
  • A SAML Service Provider service
  • SAML Identity Provider (IdP) connectors
  • An SSL certificate from each SAML IdP, imported to the BIG-IP system (included as part of IdP connector configuration)
  • A per-session access policy
  • A per-request policy that includes the SAML Auth agent
  • Client and server SSL profiles (highly recommended)
  • A virtual server associated with both policies and HTTPS service port
  • An active directory server (defined in
    Active Directory
Refer to
Using APM as a SAML Service Provider
BIG-IP Access Policy Manager: SAML Configuration
for details on configuring a SAML SP service and one or more IdP connectors.