Manual Chapter : Using BIG-IP IdP Automation

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 11.5.1
Manual Chapter

Overview: Automating SAML IdP connector creation

When a BIG-IP system is configured as a SAML service provider (SP), you can use SAML identity provider (IdP) automation to automatically create new SAML IdP connectors for SP services. Access Policy Manager (APM) polls a file or files that you supply; the files must contain cumulative IdP metadata. After polling, APM creates IdP connectors for any new IdPs and associates them with a specified SP service. APM uses matching criteria that you supply to send the user to the correct IdP.

When would I use SAML IdP automation?

Here is an example in which SAML Identity Provider (IdP) automation is especially useful. A large service provider (SP) supports a number of SAML identity providers. The service provider defines a SAML SP service on Access Policy Manager (APM) for access to that service. As IdPs come online, the service provider collects metadata from them and aggregates the IdP metadata into a file.

Note: The process for collecting and aggregating IdP metadata into a file is up to the service provider.

APM polls the metadata file, creates IdP connectors, associates new connectors to the specified SAML SP service, and ensures that clients performing SP-initiated access are sent to the correct IdP.

Automating IdP connector creation for BIG-IP as SP

To create a BIG-IP Identity Provider (IdP) automation configuration, you need a BIG-IP system that is configured to function as a SAML service provider (SP) and you need to have SAML SP services defined.
You create an IdP automation configuration to automatically create SAML IdP connectors and bind them to an SP service based on cumulative IdP metadata you maintain in a file or files. You specify matching criteria in the IdP automation for APM to use, in order to send a user to the correct IdP.
  1. On the Main tab, click Access Policy > SAML > BIG-IP IdP Automation. The BIG-IP IdP Automation screen opens and displays a table. Each row includes a configuration name, the URLs where IdP metadata files are stored for a particular SP service, and the name of the SP service to which automation applies.
  2. Click Create. The Create New SAML IdP Automation popup screen opens.
  3. In the Name field, type a name for the IdP automation configuration.
  4. For the SP Service setting, select a service from the list. If the SP service you want has not already been defined, click Create to configure it and add it to the list. APM periodically creates SAML IdP connectors and binds them to the SP service you specify here.
  5. From the IdP Matching Source list, select or type the name of a session variable. At the time of SP-initiated SAML single sign-on, APM (as a SAML SP) matches the value of this session variable to the value in the tag that you specify in the Metadata Tag Match Value field.
  6. In the Metadata Tag Match Value field, type the name of a metadata tag. APM extracts the value in this tag from the IdP metadata and matches it with the value of the session variable specified in the IdP Matching Source field.
    Note: Do not include any wildcard in the value.
  7. In the Metadata Tag For IdP Connector Name field, type the name of a tag that is included in the IdP metadata. APM uses the value in the tag to name the IdP connector that it creates.
  8. In the Frequency field, type a number of minutes. This specifies how often APM polls IdP metadata files.
  9. Select Metadata URLs from the left pane. You specify URLs for one or more cumulative metadata files located on remote systems. A URL table displays in the right pane.
  10. Specify a URL for each SAML IdP metadata file to be read. To add each URL, follow these steps:
    1. Click Add. A new field opens in the URL table.
    2. Type a URL. Begin the URL with http or https. For example, type https://mywebsite.com/metdata/idp/idp_metadata.xml.
    3. Click Update. The new URL displays in the top row of the table.
  11. Click OK. The Create SAML IdP Automation screen closes. The new automation displays in the list.
For IdP automation to work, you must provide the metadata files as specified in the metadata URLs.