Applies To:
Show VersionsBIG-IP APM
- 11.5.1
Overview: Federating BIG-IP systems for SAML SSO (with an SSO portal)
In a federation of BIG-IP systems, one BIG-IP system acts as a SAML Identity Provider (IdP) and other BIG-IP systems act as SAML service providers.
This configuration supports:
- Connections that initiate at the IdP or at SAML service providers.
- Service providers that require different types of subject, attributes, and security settings for assertions.
About local IdP service
A SAML IdP service is a type of single sign-on (SSO) authentication service in Access Policy Manager (APM). When you use a BIG-IP system as a SAML identity provider (IdP), a SAML IdP service provides SSO authentication for external SAML service providers (SPs). You must bind a SAML IdP service to SAML SP connectors, each of which specifies an external SP. APM responds to authentication requests from the service providers and produces assertions for them.
About SP connectors
A SAML service provider connector (an SP connector) specifies how a BIG-IP system, configured as a SAML Identity Provider (IdP), connects with an external service provider.
What are the available ways I can configure a SAML SP connector?
You can use one or more of these methods to configure SAML service provider (SP) connectors in Access Policy Manager.
- From metadata - Obtain a metadata file from the vendor and import it into Access Policy Manager. The advantage to this method is that the vendor provides the majority of all required data, including certificates. You can complete the configuration by simply typing a unique name for the SP connector, a very few additional required fields, and browsing to and importing the file. Access Policy Manager then configures the SP connector.
- From template - Use templates that Access Policy Manager provides for some vendors; for
example, Google. The advantages to this method are that:
- Most required data is included in the template
- Additional required data is minimal. You can obtain it and certificates from the vendor
- Custom - Obtain information from the vendor and type the settings into the Configuration utility. To use this method, you must also obtain certificates from the vendor and import them into the BIG-IP system. Use this method when a metadata file or a template for an SP connector is not available.
About local SP service
A SAML SP service is a type of AAA service in Access Policy Manager (APM ). It requests authentication from an external SAML Identity Provider (IdP) that is specified on APM in a SAML IdP connector. (You bind a SAML service provider (SP) service to one or more SAML IdP connectors.) APM requests authentication from an IdP and consumes assertions from it to allow access to resources behind APM.
About IdP connectors
An IdP connector specifies how a BIG-IP system, configured as a SAML service provider (SP), connects with an external SAML identity provider (IdP).
About methods for configuring SAML IdP connectors in APM
You can use one or more of these methods to configure SAML identity provider (IdP) connectors in Access Policy Manager (APM).
- From metadata - Obtain a metadata file from the vendor and import it into APM. The advantage to this method is that the vendor provides all required data, including the certificate. You can complete the configuration by simply typing a unique name for the identity provider, and browsing to and importing the file. APM imports the certificate to the BIG-IP system and configures the SAML IdP connector.
- From template - Use templates that APM provides for some vendors. The advantages to this
method are that:
- Most required data is included in the template. (Note that the certificate is not included.)
- Additional required data is minimal and is available from the vendor.
- Custom - Research the identity provider requirements and type all settings into the Configuration utility. Use this method when a metadata file or a template for an identity provider is not available. APM configures the SAML IdP connector. You must obtain a certificate from the vendor and import it into the BIG-IP system.
- IdP Automation - Provide files with cumulative IdP metadata on remote systems, then configure BIG-IP IdP automation to poll the files periodically and create IdP connectors and bind them to a specific service provider (SP) service.
Task summary
Task list
Setting up SAML federation for BIG-IP systems involves three major activities:
- First, you set up one BIG-IP system as a SAML identity provider (IdP) system
- Next, you set up one or more BIG-IP systems as a SAML service provider (SP)
- Last, you go back to the IdP system and set up connectivity to the SP systems
Flowchart: BIG-IP system federation configuration with SSO portal
This flowchart illustrates the process for configuring BIG-IP systems in federation and providing an SSO portal.
Setting up a BIG-IP system as a SAML IdP
Creating a virtual server for a BIG-IP (as SAML IdP) system
Configuring a SAML IdP service for one SP connector
Exporting SAML IdP metadata from APM
Setting up a BIG-IP system as a SAML service provider system
Configuring an IdP connector from IdP metadata
Creating a virtual server for a BIG-IP (as SAML SP) system
Configuring a SAML SP service for federation
Binding the BIG-IP system (as IdP) with the SP service on this device
Exporting SAML SP metadata from APM
Configuring an access policy to authenticate with an external SAML IdP
Simple access policy to authenticate users against an external SAML IdP
Setting up connectivity from the IdP system to the SP systems
Configuring SAML SP connectors from SAML SP metadata files
Binding a SAML IdP service to one SP connector
Configuring a full webtop
- On the Main tab, click .
- Click Create to create a new webtop.
- Type a name for the webtop you are creating.
- From the Type list, select Full.
- Click Finished.