Manual Chapter : BIG-IP System Federation for SP-Initiated Connections

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 11.5.1
Manual Chapter

Overview: Federating BIG-IP systems for SAML SSO (without an SSO portal)

In a federation of BIG-IP systems, one BIG-IP system acts as a SAML Identity Provider (IdP) and other BIG-IP systems act as SAML service providers (SPs).

This configuration supports:

  • Only those connections that initiate at a service provider.
  • Only service providers that accept assertions with similar subject type, attributes, and security settings.

About SAML IdP discovery

On a BIG-IP system that you use as a SAML service provider (SP), you can bind an SP service to one or more SAML Identity Provider (IdP) connectors (each of which specifies an external IdP). When you bind an SP service to multiple IdP connectors, Access Policy Manager chooses the correct IdP connector at run time through a filtering and matching process called IdP discovery.

Scenario

You might bind multiple IdP connectors to an SP service on the BIG-IP system when you must provide services to different businesses and universities, each of which specifies an IdP to identify their users. When the user's information arrives at the SP service on the BIG-IP system, the SP service identifies the correct IdP and redirects the user to authenticate against that IdP before the SP service provides access to the service.

Note: The SP service performs IdP discovery for a user only when the user initiates connection from an SP.

Session variables and the typical access policy for BIG-IP system as SP

On a BIG-IP system configured as an SP, the typical access policy presents a logon page to the user. The Logon Page action populates session variables. You can customize the Logon Page action and affect session variable values. A SAML Auth action follows the logon page.

Example typical access policy on BIG-IP system as SAML SP

A SAML Auth action specifies an SP service. An SP service is an AAA service that requests authentication from an external IdP (specified in an IdP connector).

Session variables and SAML IdP discovery

Among multiple IdP connectors, the BIG-IP system must discover the correct external IdP with which to authenticate a user. For IdP discovery to work, you must specify matching criteria, a session variable name and value, for each IdP connector.

For example, users of a service might go to a particular landing page. When you bind the IdP connector, for the external IdP that serves those users, to the SP service, select the %{session.server.landinguri} session variable and supply a landing path value, such as, /south*. For users going to URLs such as https://sp-service/southwest and https://sp-service/southeast, the SP service selects the same IdP to authenticate them.

Logon Page action customization

These are some common customization examples for the Logon Page action.

Example typical access policy on BIG-IP system as SAML SP Setting the value of session.logon.last.domain variable to the domain name only
Select Yes for Split domain from full Username. The Logon Page agent takes the user name, such as joe@office.com, that was entered and creates the following session variables with these values.
Session Variable Value
%{session.logon.last.username} joe
%{session.logon.last.domain} office.com
%{session.logon.last.logonname} joe@office.com
Example typical access policy on BIG-IP system as SAML SP Obtaining and email address as the username
Change the prompt for the first field (username field). To omit the password, select Type none.

About local IdP service

A SAML IdP service is a type of single sign-on (SSO) authentication service in Access Policy Manager (APM). When you use a BIG-IP system as a SAML identity provider (IdP), a SAML IdP service provides SSO authentication for external SAML service providers (SPs). You must bind a SAML IdP service to SAML SP connectors, each of which specifies an external SP. APM responds to authentication requests from the service providers and produces assertions for them.

About SP connectors

A SAML service provider connector (an SP connector) specifies how a BIG-IP system, configured as a SAML Identity Provider (IdP), connects with an external service provider.

What are the available ways I can configure a SAML SP connector?

You can use one or more of these methods to configure SAML service provider (SP) connectors in Access Policy Manager.

  • From metadata - Obtain a metadata file from the vendor and import it into Access Policy Manager. The advantage to this method is that the vendor provides the majority of all required data, including certificates. You can complete the configuration by simply typing a unique name for the SP connector, a very few additional required fields, and browsing to and importing the file. Access Policy Manager then configures the SP connector.
  • From template - Use templates that Access Policy Manager provides for some vendors; for example, Google. The advantages to this method are that:
    • Most required data is included in the template
    • Additional required data is minimal. You can obtain it and certificates from the vendor
    After you select a template and type data into a few fields, Access Policy Manager configures the SP connector.
  • Custom - Obtain information from the vendor and type the settings into the Configuration utility. To use this method, you must also obtain certificates from the vendor and import them into the BIG-IP system. Use this method when a metadata file or a template for an SP connector is not available.

About local SP service

A SAML SP service is a type of AAA service in Access Policy Manager (APM ). It requests authentication from an external SAML Identity Provider (IdP) that is specified on APM in a SAML IdP connector. (You bind a SAML service provider (SP) service to one or more SAML IdP connectors.) APM requests authentication from an IdP and consumes assertions from it to allow access to resources behind APM.

About IdP connectors

An IdP connector specifies how a BIG-IP system, configured as a SAML service provider (SP), connects with an external SAML identity provider (IdP).

About methods for configuring SAML IdP connectors in APM

You can use one or more of these methods to configure SAML identity provider (IdP) connectors in Access Policy Manager (APM).

  • From metadata - Obtain a metadata file from the vendor and import it into APM. The advantage to this method is that the vendor provides all required data, including the certificate. You can complete the configuration by simply typing a unique name for the identity provider, and browsing to and importing the file. APM imports the certificate to the BIG-IP system and configures the SAML IdP connector.
  • From template - Use templates that APM provides for some vendors. The advantages to this method are that:
    • Most required data is included in the template. (Note that the certificate is not included.)
    • Additional required data is minimal and is available from the vendor.
    APM configures the SAML IdP connector. You must obtain a certificate from the vendor and import it into the BIG-IP system.
  • Custom - Research the identity provider requirements and type all settings into the Configuration utility. Use this method when a metadata file or a template for an identity provider is not available. APM configures the SAML IdP connector. You must obtain a certificate from the vendor and import it into the BIG-IP system.
  • IdP Automation - Provide files with cumulative IdP metadata on remote systems, then configure BIG-IP IdP automation to poll the files periodically and create IdP connectors and bind them to a specific service provider (SP) service.

Task summary

Setting up SAML federation for BIG-IP systems involves three major activities:

  • First, you set up one BIG-IP system as a SAML identity provider (IdP) system
  • Next, you set up one or more BIG-IP systems as a SAML service provider (SP)
  • Last, you go back to the IdP system and set up connectivity to the SP systems

Task list

Flowchart: BIG-IP system federation configuration

This flowchart illustrates the process for configuring BIG-IP systems in federation without providing an SSO portal.

configuration flow for  SAML federation of BIG-IP systems

Setting up a BIG-IP system as a SAML IdP

You log in to the BIG-IP system that you have selected to act as the SAML Identity Provider (IdP) so that you can configure elements that are required for SAML federation.
Log on to the BIG-IP system that you have selected to act as the SAML IdP in a SAML federation of BIG-IP systems.

Creating a virtual server for a BIG-IP (as SAML IdP) system

Before you start this task, configure a client SSL profile and a server SSL profile if you are going to create an SSL virtual server.
Note: Access Policy Manager supports using a non-SSL virtual server for the BIG-IP system configured as a SAML Identity Provider (IdP). However, we recommend using an SSL virtual server for security reasons. The following procedures include steps that are required for configuring an SSL virtual server, such as selecting client and server SSL profiles, and setting the service port to HTTPS.
Specify a host virtual server to use as the SAML IdP.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the Create button. The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. For the Destination setting, select Host and in the Address field, type the IP address for the virtual server.
  5. In the Service Port field, type 443 or select HTTPS from the list.
  6. For the HTTP Profile setting, verify that the default HTTP profile, http, is selected.
  7. For the SSL Profile (Client) setting, from the Available list, select the name of the Client SSL profile you previously created, and using the Move button, move the name to the Selected list.
  8. For the SSL Profile (Server) setting, from the Available list, select the name of the Server SSL profile you previously created, and using the Move button, move the name to the Selected list.
  9. Click Finished.
The virtual server for the BIG-IP system configured as an IdP now appears on the Virtual Server List. The virtual server destination is available for use in one or more SAML IdP service configurations.

Configuring a SAML IdP service

Configure a SAML Identity Provider (IdP) service for the BIG-IP system, configured as a SAML IdP, to provide authentication service for SAML service providers (SPs).
Note: Configure this IdP service to meet the requirements of all SAML service providers that you bind with it.
  1. On the Main tab, click Access Policy > SAML > BIG-IP as IdP. The BIG-IP as IdP screen displays a list of SAML IdP services.
  2. Click Create. The Create New IdP Service popup screen displays.
  3. In the IdP Service Name field, type a unique name for the SAML IdP service.
  4. In the IdP Entity ID field, type a unique identifier for the IdP (this BIG-IP system). Include the URI that points to the virtual server with the BIG-IP system and a unique path. For example, if you type https://bigip-idp/idp, https://bigip-idp should point to the virtual server you use for the BIG-IP system as a SAML IdP and /idp is a string that distinguishes one IdP from another when this BIG-IP system supports multiple SAML IdP services. The path portion on the IdP Entity ID is not a physical location on the BIG-IP system.
  5. Click Assertion Settings from the left pane. The applicable settings display.
    1. From the Assertion Subject Type list, select the type of subject for the IdP to authenticate.
    2. From the Assertion Subject Value list, select the name of a session variable. This variable, %{session.logon.last.username}, is generally applicable. Some session variables are applicable depending on the type of authentication that you use for your site.
    3. Select the Enable encryption of Subject check box to encrypt the subject. The Encryption Strength list becomes available.
    4. From the Encryption Strength list, select a value. Supported values are AES128, AES192, and AES256.
  6. Click SAML Attributes from the left pane. The SAML Attributes list displays. For each attribute that you want to include in the attribute statement, repeat these substeps.
    1. Click Add.
    2. Type a name and a value in the new row. Usually, the name is a fixed string; it can be a session variable. You can use a session variable for the value. This example shows using a fixed string for the name and a session variable for the value. Name: user_telephonenumber and value: %{session.ad.last.attr.telephoneNumber}.
    3. Select the Encrypt check box and select a value from the Type list. Select the check box to encrypt the attribute. Supported values for type are AES128, AES192, and AES256.
    4. Click Update.
  7. Click Security Settings from the left pane.
    1. From the This device's Assertion Signing Key list, select the key from the BIG-IP system store. None is selected by default.
    2. From the This device's Public Certificate list, select the certificate from the BIG-IP system store. When selected, the IdP (the BIG-IP system) publishes this certificate to the service provider so that the service provider can verify the assertion. None is selected by default.
  8. Click OK. The popup screen closes. The new IdP service appears on the list.
APM creates a SAML IdP service. It is available to bind to SAML SP connectors. This service works with external service providers that share the same requirements for assertion settings and SAML attribute settings.

Exporting SAML IdP metadata from APM

You need to convey the SAML Identity Provider (IdP) metadata from APM to the external service providers that use the SAML IdP service. Exporting the IdP metadata for a SAML IdP service to a file provides you with the information that you need to do this.
  1. On the Main tab, click Access Policy > SAML > BIG-IP as IdP. The BIG-IP as IdP screen displays a list of SAML IdP services.
  2. Select a SAML IdP service from the table and click Export Metadata. A popup screen opens, with No selected on the Sign Metadata list.
  3. For APM to sign the metadata, perform these steps:
    1. Select Yes from the Sign Metadata list.
    2. Select a key from the Signing Key list. APM uses the key to sign the metadata.
    3. Select a certificate from the Signature Verification Certificate list. APM exports the certificate to the metadata file. The system on which you import the metadata file can use the certificate to verify the metadata signature.
  4. Select OK. APM downloads an XML file.
An XML file that contains IdP metadata is available.

Setting up a BIG-IP system as a SAML service provider system

You log in once to each BIG-IP system that you have selected to act as a SAML service provider so that you can configure the elements on it that are required for federation with other BIG-IP systems, one of which functions as an SAML IdP.
Log on to a BIG-IP system that you have selected to act as a SAML SP in a federation of BIG-IP systems.

Configuring an IdP connector from IdP metadata

Locate the SAML IdP metadata file that you exported from the BIG-IP system (as IdP). If the metadata file is signed, obtain the certificate also; import it into the BIG-IP system store on this device.
Import IdP metadata to create a SAML IdP connector on this BIG-IP system. The SAML IdP connector enables this BIG-IP system to connect and exchange information with the external BIG-IP system that acts as the IdP in the SAML federation.
  1. On the Main tab, click Access Policy > SAML > BIG-IP as IdP. The BIG-IP as IdP screen opens and displays a list of local IdP services.
  2. On the menu bar, click External IdP Connectors. A list of SAML IdP connectors displays.
  3. Select Create > From Metadata. The Create New SAML IdP Connector screen opens.
  4. In the Select File field, browse to and select the metadata file for the IdP.
  5. In the Identity Provider Name field, type a unique name for the IdP.
  6. If the metadata is signed, select a certificate from the Select Signing Certificate list.
  7. Click OK. The file is uploaded, the SAML IdP connector is created, and the screen closes.
The SAML IdP connector is displayed on the SAML IdP Connectors list.

Creating a virtual server for a BIG-IP (as SAML SP) system

Before you start this task, configure a client SSL profile and a server SSL profile.
Note: Access Policy Manager supports using a non-SSL virtual server for the BIG-IP system (as SP). However, we highly recommend using an SSL virtual server for security reasons. The following procedure includes steps that are required for configuring an SSL virtual server. These are: selecting client and server SSL profiles and setting the service port to HTTPS.
Specify a host virtual server to use as the SAML SP.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the Create button. The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. For the Destination setting, select Host and in the Address field, type the IP address for the virtual server.
  5. In the Service Port field, type 443 or select HTTPS from the list.
  6. For the HTTP Profile setting, verify that the default HTTP profile, http, is selected.
  7. For the SSL Profile (Client) setting, from the Available list, select the name of the Client SSL profile you previously created, and using the Move button, move the name to the Selected list.
  8. For the SSL Profile (Server) setting, from the Available list, select the name of the Server SSL profile you previously created, and using the Move button, move the name to the Selected list.
  9. Click Finished.
The virtual server for the BIG-IP system configured as an SP now appears on the Virtual Server List. The virtual server destination is available for use in a SAML SP service configuration.

Configuring a SAML SP service for federation

Configure a SAML SP service for Access Policy Manager to provide AAA authentication, requesting authentication and receiving assertions from a SAML IdP.
  1. On the Main tab, click Access Policy > SAML > BIG-IP as IdP. The BIG-IP as IdP screen opens and displays a list of local IdP services.
  2. Click Create. The Create New SAML SP Service screen opens.
  3. In the Name field, type a unique name for the SAML SP service.
  4. In the Entity ID field, type a unique identifier for the service provider that includes the URI that points to the virtual server you created for this BIG-IP system and a unique path. For example, if you type https://bigip-sp/sp, then https:/bigip-sp points to the virtual server on this BIG-IP system and "/sp" is a unique string.
    Note: The path is not a physical path on the BIG-IP system, but a string that distinguishes one SAML SP service from another when multiple SAML SP services are configured on this BIG-IP system.
  5. In the Relay State field, type a scheme, host, and path. This is a path is where this BIG-IP system redirects users after they are authenticated.
  6. From the left pane, select Security Settings. The screen changes to display the applicable settings.
    1. Select Signed Authentication Request if you want this BIG-IP system to send signed authentication requests to the SAML IdP.
    2. Select Want Encrypted Assertion if this BIG-IP system requires encrypted assertions from the SAML IdP.
    3. Select Want Signed Assertion if the BIG-IP service provider system requires signed assertions from the SAML IdP. This is selected by default. It is recommended that it be selected.
    4. From SP's Authentication Signing/Assertion Decryption Private Key, select a key from the BIG-IP system store on this device. You can select a private key only when you select at least one of these check boxes: Signed Authentication Request and Want Encrypted Assertion. APM uses this private key to sign the authentication request to the IdP and to decrypt an encrypted assertion from the IdP.
    5. From SP Certificate, select a certificate. APM includes this certificate in the SAML SP metadata that you export. After the SAML SP metadata is imported on the IdP, the IdP can use this certificate to verify a signed authentication request and to encrypt an assertion.
  7. Click OK. The screen closes.
APM creates the SAML SP service. It is available to bind to SAML IdP connectors and to export to a metadata file.

Binding the BIG-IP system (as IdP) with the SP service on this device

Bind the SAML SP service for this device (BIG-IP system) to the SAML IdP connector for the external BIG-IP system that acts as the IdP, so that this device requests authentication service from the IdP.
  1. On the Main tab, click Access Policy > SAML > BIG-IP as IdP. The BIG-IP as IdP screen opens and displays a list of local IdP services.
  2. Select a SAML SP service from the list.
  3. Click Bind/Unbind IdP Connectors. A pop-up screen displays a list of any IdP connectors that are associated with this SP service.
  4. Click Add New Row.
  5. Select the SAML IdP connector for the BIG-IP system that acts as the IdP in the federation. Because you are binding only one IdP connector to the SP service, you do not need to fill in the Matching Source and Matching Value fields.
  6. Click Update. The configuration is not saved until you click OK.
  7. Click OK. APM saves the configuration. The screen closes.
The SAML IdP connector that you selected is bound to the SAML SP service.

Exporting SAML SP metadata from APM

You need to convey the SP metadata from APM to the external SAML IdP that provides authentication service to this SP. Exporting the SAML SP metadata to a file provides you with the information that you need to do this.
  1. On the Main tab, click Access Policy > SAML > BIG-IP as IdP. The BIG-IP as IdP screen opens and displays a list of local IdP services.
  2. Select an SP service from the list and click Export Metadata. A popup window opens, displaying No on the Sign Metadata list.
  3. For APM to sign the metadata, perform these steps:
    1. Select Yes from the Sign Metadata list.
    2. Select a key from the Signing Key list. APM uses the key to sign the metadata.
    3. Select a certificate from the Signature Verification Certificate list. APM exports the certificate to the metadata file. The system on which you import the metadata file can use the certificate to verify the metadata signature.
  4. Select OK. APM downloads an XML file.
You must either import the XML file on the IdP system or use the information in the XML file to configure SP metadata on the IdP system .

Configuring an access policy to authenticate with an external SAML IdP

Before you start this task, configure an access profile.
When you use this BIG-IP system as a SAML service provider (SP), configure an access policy to direct users to an external SAML Identity Provider (IdP) for authentication .
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. In the Access Policy column, click the Edit link for the access profile you want to configure. The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) icon anywhere in the access policy to add a new action item. A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. On the Authentication tab, select SAML Auth and click the Add Item button. The SAML Auth properties window opens.
  5. In the SAML Authentication SP area from the AAA Server list, select a SAML SP service and click Save. The Access Policy window displays.
  6. Add any additional actions that you require to complete the policy.
  7. Change the Successful rule branch from Deny to Allow and click the Save button.
  8. At the top of the window, click the Apply Access Policy link to apply and activate your changes to this access policy.
  9. Click the Close button to close the visual policy editor.
You have an access policy that uses SAML authentication against an external SAML IdP and further qualifies the resources that a user can access.
Simple access policy to authenticate users against an external SAML IdP
Example access policy for SAML IdP-initiated connection
To put the access policy into effect, you must attach it to a virtual server.

Adding the access profile to the virtual server

You associate the access profile with the virtual server so that Access Policy Manager can apply the profile to incoming traffic.

  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. In the Access Policy area, from the Access Profile list, select the access profile.
  4. Click Update to save the changes.
Your access policy is now associated with the virtual server.

Setting up connectivity from the IdP system to the SP systems

You log in to the BIG-IP system that you configured as the SAML Identity Provider (IdP) so that you can set up connectivity to the BIG-IP systems you configured as SAML service providers (SPs).
Log on to the BIG-IP system that you have selected to act as the SAML IdP in a SAML federation of BIG-IP systems.

Configuring SAML SP connectors from SAML SP metadata files

Import SP metadata into this BIG-IP system from each BIG-IP system that is configured as an SP to create SP connectors in this system that you can use to create a federation of BIG-IP systems.
  1. On the Main tab, click Access Policy > SAML > BIG-IP as IdP. The BIG-IP as IdP screen displays a list of SAML IdP services.
  2. On the menu bar, click External SP Connectors. A list of SAML SP connectors displays.
  3. Select Create > From Metadata The Create New SAML Service Provider window opens.
  4. In the Select File field, browse to and select the metadata file for the service provider.
  5. In the Service Provider Name field, type a unique name for the service provider.
  6. If the metadata is signed, select the certificate from the Select Signing Certificate list.
  7. Click OK. The file is uploaded, the SAML SP connector is created, and the window closes.
The SAML SP connector is displayed on the External SP Connectors list.

Binding IdP service and SP connectors for federation

Select a SAML Identity Provider (IdP) service and the SAML service provider (SP) connectors that use the service so that this BIG-IP system can provide authentication (SAML IdP service) to external SAML service providers.
  1. On the Main tab, click Access Policy > SAML > BIG-IP as IdP. The BIG-IP as IdP screen displays a list of SAML IdP services.
  2. Select a SAML IdP service from the list. A SAML IdP service provides authentication service.
  3. Click Bind/Unbind SP Connectors. The screen displays a list of available SAML SP connectors.
  4. Select the SAML SP connectors for the external BIG-IP systems that are configured as SPs and that you want to use this service.
  5. Click OK. The screen closes.
The SAML IdP service is bound to the external SAML service providers specified in the SAML SP connectors.

Creating an access profile associated with the SAML IdP service

Use this procedure when this BIG-IP system, as a SAML Identity Provider (IdP), supports service provider-initiated connections only.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. Click Create. The New Profile screen opens.
  3. Type a name for the access profile.
  4. In the SSO Across Authentication Domains (Single Domain mode) area, from the SSO Configuration list, select the name of the local SAML IdP service.
  5. In the Language Settings area, add and remove accepted languages, and set the default language. A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  6. Click Finished.
The access profile now shows up in the Access Profiles List.

Configuring an access policy to provide authentication from the local IdP

Configure an access policy so that this BIG-IP system, as a SAML Identity Provider (IdP) can provide authentication for SAML service providers.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. In the Access Policy column, click the Edit link for the access profile you want to configure. The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) icon anywhere in the access policy to add a new action item. A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. On the Logon tab, select Logon Page and click the Add Item button. The Logon Page Agent properties screen opens.
  5. Make any changes that you require to the logon page properties and click Save. The properties screen closes and the visual policy editor displays.
  6. Add one or more authentication checks on the fallback branch after the Logon Page action. Select the authentication checks that are appropriate for application access at your site.
  7. Optional: Add any other branches and actions that you need to complete the access policy.
  8. Change the Successful rule branch from Deny to Allow and click the Save button.
  9. Click the Apply Access Policy link to apply and activate the changes to the access policy.
  10. Click the Close button to close the visual policy editor.
You have an access policy that presents a logon page and authenticates the user..
Access policy to provide authentication for SAML service providers when this BIG-IP system is the IdP
Example access policy for SAML IdP-initiated connection
To put the access policy into effect, you must attach it to a virtual server.

Adding the access profile to the virtual server

You associate the access profile with the virtual server so that Access Policy Manager can apply the profile to incoming traffic.

  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. In the Access Policy area, from the Access Profile list, select the access profile.
  4. Click Update to save the changes.
Your access policy is now associated with the virtual server.