Manual Chapter : Using BIG-IP IdP Automation

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 16.0.1, 16.0.0
Manual Chapter

Using BIG-IP IdP Automation

Overview: Automating SAML IdP connector creation

When a BIG-IP system is configured as a SAML service provider (SP), you can use SAML identity provider (IdP) automation to automatically create new SAML IdP connectors for SP services. Access Policy Manager (APM®) polls a file or files that you supply; the files must contain cumulative IdP metadata. After polling, APM creates IdP connectors for any new IdPs and associates them with a specified SP service. APM uses matching criteria that you supply to send the user to the correct IdP.

When would I use SAML IdP automation?

Here is an example in which SAML Identity Provider (IdP) automation is especially useful. A large service provider (SP) supports a number of SAML identity providers. The service provider defines a SAML SP service on Access Policy Manager (APM) for access to that service. As IdPs come online, the service provider collects metadata from them and aggregates the IdP metadata into a file.
The process for collecting and aggregating IdP metadata into a file is up to the service provider.
APM polls the metadata file, creates IdP connectors, associates new connectors to the specified SAML SP service, and ensures that clients performing SP-initiated access are sent to the correct IdP.

Automating IdP connector creation for a BIG-IP system as SP

To create a BIG-IP Identity Provider (IdP) automation configuration, you need a BIG-IP system that is configured to function as a SAML service provider (SP) and you need to have SAML SP services defined.
You create a connector automation configuration to automatically create SAML IdP connectors and bind them to an SP service based on cumulative IdP metadata you maintain in a file or files. You specify matching criteria in connector automation for APM to use, in order to send a user to the correct IdP.
  1. On the Main tab, click
    Access
    Federation
    SAML Service Provider
    Connector Automation
    .
    The Connector Automation screen opens and displays a table. Each row includes a configuration name, the URLs where IdP metadata files are stored for a particular SP service, and the name of the SP service to which automation applies.
  2. Click
    Create
    .
    The Create New SAML IdP Automation popup screen opens.
  3. In the
    Name
    field, type a name for the IdP automation configuration.
  4. For the
    SP Service
    setting, select a service from the list.
    If the SP service you want has not already been defined, click
    Create
    to configure it and add it to the list.
    APM periodically creates SAML IdP connectors and binds them to the SP service you specify here.
  5. From the
    IdP Matching Source
    list, select or type the name of a session variable.
    At the time of SP-initiated SAML single sign-on, APM (as a SAML SP) matches the value of this session variable to the value in the tag that you specify in the
    Metadata Tag Match Value
    field.
  6. In the
    Metadata Tag Match Value
    field, type the name of a metadata tag.
    APM extracts the value in this tag from the IdP metadata and matches it with the value of the session variable specified in the
    IdP Matching Source
    field.
    Do not include any wildcard in the value.
  7. In the
    Metadata Tag For IdP Connector Name
    field, type the name of a tag that is included in the IdP metadata.
    APM uses the value in the tag to name the IdP connector that it creates.
  8. In the
    Frequency
    field, type a number of minutes.
    This specifies how often APM polls IdP metadata files.
  9. Select
    Metadata URLs
    from the left pane.
    You specify URLs for one or more cumulative metadata files located on remote systems.
    A URL table displays in the right pane.
  10. Specify a URL for each SAML IdP metadata file to be read. To add each URL, follow these steps:
    1. Click
      Add
      .
      A new field opens in the URL table.
    2. Type a URL.
      Begin the URL with
      http
      or
      https
      .
      For example, type
      https://mywebsite.com/metdata/idp/idp_metadata.xml
      .
    3. Click
      Update
      .
      The new URL displays in the top row of the table.
  11. Click
    OK
    .
    The Create SAML IdP Automation screen closes. The new automation displays in the list.
For IdP automation to work, you must provide the metadata files as specified in the metadata URLs.