Manual Chapter :
Using APM as a SAML IdP (no SSO portal)
Applies To:
Show VersionsBIG-IP APM
- 16.0.1, 16.0.0
Using APM as a SAML IdP (no SSO portal)
Overview: Configuring a BIG-IP system as IdP for SP-initiated connections only
A configuration that allows users to initiate connection from service providers
(SPs) only, works only when all service providers require the same assertion type, and value, and
the same attributes from the IdP.
Configuration requirements for supporting SP-initiated connections only
For
Access Policy Manager as a SAML identity provider (IdP) to support only
connections that start at a service provider, you need to meet these configuration requirements:
- SAML IdP services: One.
- SAML SP connectors: One for each SAML service provider.
- SSL certificate and key: One set for each SAML service provider, imported into the store on the BIG-IP system.
- An access profile.
- An access policy.
- A virtual server that assigns the access profile.
Configuration requirements are summarized in this diagram.
About local IdP
service
A
SAML IdP service
is a type of single
sign-on (SSO) authentication service in Access Policy
Manager (APM). When you use a BIG-IP system as a SAML identity provider (IdP), a SAML IdP service
provides SSO authentication for external SAML service providers (SPs). You must bind a SAML IdP
service to SAML SP connectors, each of which specifies an external SP. APM responds to
authentication requests from the service providers and produces assertions for them.About SP connectors
A SAML service provider connector (an SP connector)
specifies how a BIG-IP system, configured as a SAML Identity Provider (IdP), connects with an external
service provider.
What are the available ways I can configure a SAML SP connector?
You can use one or more of these methods to configure SAML service provider (SP) connectors in
Access Policy Manager.
- From metadata - Obtain a metadata file from the vendor and import it into Access Policy Manager. The advantage to this method is that the vendor provides the majority of all required data, including certificates. You can complete the configuration by simply typing a unique name for the SP connector, a very few additional required fields, and browsing to and importing the file. Access Policy Manager then configures the SP connector.
- From template - Use templates that Access Policy Manager provides for some vendors; for example, Google. The advantages to this method are that:
- Most required data is included in the template
- Additional required data is minimal. You can obtain it and certificates from the vendor
- Custom - Obtain information from the vendor and type the settings into the Configuration utility. To use this method, you must also obtain certificates from the vendor and import them into the BIG-IP system. Use this method when a metadata file or a template for an SP connector is not available.
Configuring APM as a SAML identity provider
Setting up a BIG-IP system as a SAML identity provider (IdP) system
involves two major activities:
- First, you set up connection from the BIG-IP system to the external SAML service providers (SPs)
- Then, you set up connection from the external SAML SPs to the BIG-IP system
Flowchart: Configuration to support SP-initiated connections only
This flowchart illustrates the process for configuring a BIG-IP system as
a SAML identity provider (IdP) without providing an SSO portal.
Creating a virtual server for a BIG-IP (as SAML IdP) system
Specify a host virtual server to use as the SAML Identity Provider (IdP).
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- For theDestination Address/Masksetting, confirm that theHostbutton is selected, and type the IP address in CIDR format.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.The IP address you type must be available and not in the loopback network.
- In theService Portfield, type443or selectHTTPSfrom the list.
- For theHTTP Profile (Client)setting, verify that the default HTTP profile,http, is selected.
- For theSSL Profile (Client)setting, from theAvailablelist, select the name of the Client SSL profile you previously created and move the name to theSelectedlist.
- For theSSL Profile (Server)setting, selectpcoip-default-serverssl.
- From theSource Address Translationlist, selectAuto Map.
- ClickFinished.
Configuring an artifact resolution service
Before you configure the artifact resolution service (ARS), you need to have configured
a virtual server. That virtual server can be the same as the one used for the SAML
Identity Provider (IdP), or you can create an additional virtual server.
F5
highly recommends that the virtual server definition include a server SSL
profile.
You configure an ARS so that a BIG-IP system that
is configured as a SAML IdP can provide SAML artifacts in place of assertions. With ARS,
the BIG-IP system can receive Artifact Resolve Requests (ARRQ) from service providers,
and provide Artifact Resolve Responses (ARRP) for them.
- On the Main tab, click.
- ClickCreate.The Create New SAML Artifact Resolution Service popup screen opens, showing general settings.
- In theNamefield, type a name for the artifact resolution service.
- In theDescriptionfield, type a new description.
- ClickService Settings.
- From theVirtual Serverlist, select the virtual server that you created previously.ARS listens on the IP address and port configured on the virtual server.
- In theArtifact Validity (Seconds)field, type the number of seconds for which the artifact remains valid. The default is 60 seconds.The BIG-IP system deletes the artifact if the number of seconds exceeds the artifact validity number.
- For theSend Methodsetting, select the binding to use to send the artifact, eitherPOSTorRedirect.
- In theHostfield, type the host name defined for the virtual server, for examplears.siterequest.com.
- In thePortfield, type the port number defined in the virtual server. The default is443.
- ClickSecurity Settings.
- To require that artifact resolution messages from an SP be signed, select theSign Artifact Resolution Requestcheck box.
- To use HTTP Basic authentication for artifact resolution request messages, in theUser Namefield, type a name for the artifact resolution service request and in thePasswordfield, type a password.These credentials must be present in all Artifact Resolve Requests sent to this ARS.
- ClickOK.The popup screen closes, leaving the Artifact Resolution Services list screen open.
The Artifact Resolution Service is ready for use.
Configuring SAML SP connectors
Before you can configure a SAML service
provider, you must first obtain an SSL certificate from the SAML service provider (SP)
and import it into the certificate store on the BIG-IP system.
You configure information about a SAML
service provider so that Access Policy Manager (APM) can act as a SAML Identity Provider
(IdP) for it.
Configure one SAML SP connector
for each external SAML service provider for which this BIG-IP system provides SSO
authentication service.
- On the Main tab, click.A list of SAML SP connectors displays.
- ClickCreate.The Create New SAML SP Connector screen opens.
- In theService Provider Namefield, type a unique name for the SAML SP connector.
- In theSP Provider Entity IDfield, type a unique identifier for the service provider.This is usually a unique URI that represents the service provider. You should obtain this value from the service provider.
- From the left pane, selectEndpoint Settings.The appropriate settings are displayed.
- In theRelay Statefield, type a value.The relay state can be an absolute path, such as/hr/index.html; it can be a URL, such ashttps://www.abc.com/index.html; or, it can be anything that the service provider understands. The information passed in relay state could be used by the service provider according to business logic. For example, some service providers use relay state to maintain a session state, while others use it to perform an action, such as redirecting the user to the page passed in relay state. APM sends the relay state value back to the service provider as part of the assertion response in theRelayStateparameter.When theRelayStateparameter is already part of the authentication request to the BIG-IP system, APM returns the value that was sent in the request. Otherwise, APM uses the value from this configuration.
- In theAssertion Consumer Servicesarea, specify at least one assertion consumer service.A service provider can use multiple bindings to receive an assertion from the Identity Provider. The service provider can specify a different assertion consumer service (ACS) URL for each binding, and provide a unique ACS URL index for the binding.To support SAML artifacts, make sure that at least one ACS specifies the artifact binding.
- ClickAdd.A new row displays in the table.
- In theIndexfield, type the index number, zero (0) or greater.
- If this is the default service, select theDefaultcheck box.You must specify one of the services as the default.
- In theLocation URLfield, type the URL where the IdP can send an assertion to this service provider.APM supports HTTP-Artifact binding, POAS (HTTP reverse SOAP) binding, and HTTP-POST binding to this service.
- From theBindinglist, selectArtifact,PAOS, orPOST.
- ClickUpdate.
- From the left pane, selectSecurity Settings.
- If the SP should sign the authentication or the artifact resolution requests that it sends to the SAML IdP (this BIG-IP system), select theRequire Signed Authentication Requestcheck box, select a private key from theMessage Signing Private Keylist, and select a certificate from theMessage Signing Certificatelist.This device (BIG-IP system as IdP) uses the certificate to verify the signature of the request from the SP.
- To require that the SAML IdP sign the assertion before sending it to the SP, select theAssertion must be signedcheck box, and select an algorithm from theSigning Algorithmlist.Assertion must be signedis selected by default. Clearing this check box is not recommended.
- To require that the SAML IdP sign the response before sending it to the SP, select theResponse must be signedcheck box.The algorithm specified in theSigning Algorithmlist applies to a signed assertion and a signed response.
- To require that the SAML IdP encrypt the assertion before sending it to the SP, select theAssertion must be encryptedcheck box, select a type from theEncryption Typelist, and select a certificate from theEncryption Certificatelist.APM supports AES128, AES192, and AES256 encryption types.
- From the left pane, selectSLO Service Settings.SLO stands for Single Logout.
- In theSingle Logout Request URLfield, type a URL specifying where APM should send a logout request to this service provider when the BIG-IP system initiates a logout request.
- In theSingle Logout Response URLfield, type a URL provided by the SP, where APM sends the logout response to the SP.
- From theSingle Logout Bindinglist, select how the BIG-IP system sensd a logout request to the service provider.
APM supports HTTP-POST binding for the SLO service. For SLO to work, all entities (SPs and IdPs), must support SLO. - From the left pane, selectSP Location Settings.
- From theService Provider Locationlist, select whether the location of the SP is external, internal, or internal multi-domain.SetService Provider Locationto Internal when configuring APM as a SAML IdP for inline SSO.
- ClickOK.The popup screen closes.
APM creates a SAML SP connector. It is
available to bind to a SAML IdP service.
Configuring a SAML
IdP service
Configure a SAML Identity Provider (IdP) service
for the BIG-IP system, configured as a SAML IdP, to provide authentication service for
SAML service providers (SPs).
Configure this
IdP service to meet the requirements of all SAML service providers that you bind
with it.
- On the Main tab, click.The Local IdP Services screen opens.
- ClickCreate.The Create New IdP Service popup screen displays.
- In theIdP Service Namefield, type a unique name for the SAML IdP service.The maximum length of a single sign-on configuration, such as the SAML IdP service, is 225 characters, including the partition name.
- In theIdP Entity IDfield, type a unique identifier for the IdP (this BIG-IP system).Typically, the ID is a URI that points to the BIG-IP virtual server that is going to act as a SAML IdP. If the entity ID is not a valid URL, theHostfield is required.For example, typehttps://siterequest.com/idp, where the path points to the virtual server you use for BIG-IP system as a SAML IdP.
- If theIdP Entity IDfield does not contain a valid URI, you must provide one in the IdP Name Settings area:
- From theSchemelist selecthttpsorhttp.
- In theHostfield, type a host name.For example, typesiterequest.comin theHostfield.
- From theLog Settinglist, select one of the following options:
- Select an existing APM log setting.
- ClickCreateto create a new log setting.
- If you selectSAML Profileson the left pane, theWeb Browser SSOcheck box is selected by default.At least one profile must be selected.
- To specify that this IdP use an artifact resolution service, clickEndpoint Settingson the left pane and select a service from theArtifact Resolution Servicelist.
- On the left pane, selectAssertion Settingsand complete the settings that display:
- From theAssertion Subject Typelist, select the type of subject for the IdP to authenticate.
- From theAssertion Subject Valuelist, select the name of a session variable.This variable,%{session.logon.last.username}, is generally applicable. Some session variables are applicable depending on the type of authentication that you use for your site.
- In theAuthentication Context Class Referencefield, select a URI reference.The URI reference identifies an authentication context class that describes an authentication context declaration.
- In theAssertion Validity (in seconds)field, type the number of seconds for which the assertion is valid.
- To encrypt the subject, select theEnable encryption of Subjectcheck box.TheEncryption Strengthlist becomes available.
- From theEncryption Strengthlist, select a value.Supported values are AES128, AES192, and AES256.
- On the left pane, selectSAML Attributes, and for each attribute that you want to include in the attribute statement, repeat these substeps.
- ClickAdd.A Create New SAML Attribute popup screen displays.
- In theNamefield, type a unique name for the attribute.Usually, the name is a fixed string, but it can be a session variable.
- To add a value to the attribute, clickAdd, type a value in theValue(s)field, and clickUpdateto complete the addition.You can use a session variable for the value.This example shows using a fixed string for the name and a session variable for the value. Name:user_telephonenumberand value:%{session.ad.last.attr.telephoneNumber}.You can repeat this step to add multiple values for an attribute.
- To encrypt the values, select theEncryptcheck box and select a value from theTypelist.Supported values for type are AES128, AES192, and AES256.
- ClickOK.The Create New SAML Attribute popup screen closes.
- ClickSecurity Settingsfrom the left pane.
- From theSigning Keylist, select the key from the BIG-IP system store.Noneis selected by default.
- From theSigning Certificatelist, select the certificate from the BIG-IP system store.When selected, the IdP (the BIG-IP system) publishes this certificate to the service provider so the service provider can verify the assertion.Noneis selected by default.
- ClickOK.The popup screen closes. The new IdP service appears on the list.
Access Policy Manager (APM) creates a SAML IdP service. It is available to bind to SAML
SP connectors. This service works with external service providers that share the same
requirements for assertion settings and SAML attribute settings.
Binding a SAML IdP service to multiple SP connectors
Select a SAML Identity Provider (IdP) service and
the SAML service provider (SP) connectors that use the service so that this BIG-IP
system can provide authentication (SAML IdP service) to external SAML service providers.
- On the Main tab, click.The Local IdP Services screen opens.
- Select a SAML IdP service from the list.A SAML IdP service provides authentication service.
- ClickBind/Unbind SP Connectors.The screen displays a list of available SAML SP connectors.
- Select only the SAML SP connectors that you want to use this service.
- ClickOK.The screen closes.
The SAML IdP service is bound to the SAML service providers specified in the SAML SP
connectors.
Exporting SAML IdP metadata from APM
You need to convey the SAML Identity Provider (IdP) metadata from Access Policy Manager (APM) to the external service
providers that use the SAML IdP service. Exporting the IdP metadata for a SAML IdP
service to a file provides you with the information that you need to do this.
- On the Main tab, click.The Local IdP Services screen opens.
- Select a SAML IdP service from the table and clickExport Metadata.A popup screen opens, withNoselected on theSign Metadatalist.
- For APM to sign the metadata, perform these steps:
- From theSign Metadatalist, selectYes.
- From theSigning Keylist, select a key.APM uses the key to sign the metadata.
- From theSignature Verification Certificatelist, select a certificate.APM exports the certificate to the metadata file. The system on which you import the metadata file can use the certificate to verify the metadata signature.
- SelectOK.APM downloads an XML file.
Creating an access profile associated with the SAML IdP service
Use this procedure when this BIG-IP system, as a SAML Identity Provider (IdP),
supports service provider-initiated connections only.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- ClickCreate.The New Profile screen opens.
- In theNamefield, type a unique name for the access profile.
- In the SSO Across Authentication Domains (Single Domain mode) area, from theSSO Configurationlist, select the name of the local SAML IdP service.
- In the Language Settings area, add and remove accepted languages, and set the default language.If no browser language matches one in the accepted languages list, the browser uses the default language.
- ClickFinished.
The access
profile displays in the Access Profiles List. Default-log-setting is assigned to the
access profile.
Verify log settings for the access profile
Confirm that the correct log settings are selected
for the access profile to ensure that events are logged as you intend.
Log settings are configured in the
area of the product. They enable and disable logging for access
system and URL request filtering events. Log settings also specify log publishers
that send log messages to specified destinations. - On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- Click the name of the access profile that you want to edit.The properties screen opens.
- On the menu bar, clickLogs.The access profile log settings display.
- Move log settings between theAvailableandSelectedlists.You can assign up to three log settings that enable access system logging to an access profile. You can assign additional log settings to an access profile provided that they enable logging for URl request logging only.Logging is disabled when theSelectedlist is empty.
- ClickUpdate.
An access profile is in effect when it is assigned to a virtual server.
Configuring an
access policy to provide authentication from the local IdP
Configure an access policy so that this BIG-IP
system, as a SAML Identity Provider (IdP) can provide authentication for SAML service
providers.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- In the Per-Session Policy column, click theEditlink for the access profile you want to configure.The visual policy editor opens the access policy in a separate screen.
- Click the(+)icon anywhere in the access policy to add a new item.Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
- On the Logon tab, selectLogon Pageand click theAdd Itembutton.The Logon Page Agent properties screen opens.
- Make any changes that you require to the logon page properties and clickSave.The properties screen closes and the policy displays.
- Add one or more authentication checks on the fallback branch after theLogon Pageaction.Select the authentication checks that are appropriate for application access at your site.
- Add any other branches and actions that you need to complete the policy.
- Change the Successful rule branch fromDenytoAllow, and then click theSavebutton.
- Click theApply Access Policylink to apply and activate the changes to the policy.
- Click theClosebutton to close the visual policy editor.
You have an access policy that presents a logon page and authenticates the user..
Access policy
to provide authentication for SAML service providers when this BIG-IP system is the
IdP
To
apply this access policy to network traffic, add the access profile to a virtual
server.
To ensure
that logging is configured to meet your requirements, verify the log settings for
the access profile.
Adding the access
profile to the virtual server
You associate the access profile with the virtual
server so that the system can apply the profile to incoming traffic.
- On the Main tab, click.The Virtual Server List screen opens.
- Click the name of the virtual server you want to modify.
- In the Access Policy area, from theAccess Profilelist, select the access profile that you configured earlier.
- ClickUpdateto save the changes.
Adding IdP metadata
from APM to external SAML SPs
To complete the agreement between Access Policy
Manager as the SAML IdP and a SAML Service Provider (SP), you must configure IdP
metadata at the service provider.
Complete this
step on each SAML service provider for which an SP connector is bound to the SAML
IdP service in APM.
- Using the method that the vendor provides, either:
- Import the SAML IdP metadata file that you exported from APM for the SAML IdP service that this service provider uses.
- Or take information from the SAML IdP metadata file that you exported from APM for the SAML IdP service and add it to the service provider using the vendor's interface. Pay particular attention to the values for entityID, AssertionConsumerService, SingleSignOnService, and the certificate.Regardless of the value of entityID in the metadata file, type an SSO URI that consists of the virtual server host and /saml/idp/profile/redirectorpost/sso. For example, if the host virtual server is https://Bigip-idp, type:https://Bigip-idp/saml/idp/profile/redirectorpost/sso