Applies To:
Show VersionsBIG-IP APM
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Overview: Configuring a BIG-IP system as IdP for SP-initiated connections only
Configuration requirements for supporting SP-initiated connections only
For Access Policy Manager as a SAML identity provider (IdP) to support only connections that start at a service provider, you need to meet these configuration requirements:- SAML IdP services: One.
- SAML SP connectors: One for each SAML service provider.
- SSL certificate and key: One set for each SAML service provider, imported into the store on the BIG-IP system.
- An access profile.
- An access policy.
- A virtual server that assigns the access profile.
About local IdP service
A SAML IdP service is a type of single sign-on (SSO) authentication service in Access Policy Manager (APM). When you use a BIG-IP system as a SAML identity provider (IdP), a SAML IdP service provides SSO authentication for external SAML service providers (SPs). You must bind a SAML IdP service to SAML SP connectors, each of which specifies an external SP. APM responds to authentication requests from the service providers and produces assertions for them.
About SP connectors
A SAML service provider connector (an SP connector) specifies how a BIG-IP system, configured as a SAML Identity Provider (IdP), connects with an external service provider.
What are the available ways I can configure a SAML SP connector?
You can use one or more of these methods to configure SAML service provider (SP) connectors in Access Policy Manager.
- From metadata - Obtain a metadata file from the vendor and import it into Access Policy Manager. The advantage to this method is that the vendor provides the majority of all required data, including certificates. You can complete the configuration by simply typing a unique name for the SP connector, a very few additional required fields, and browsing to and importing the file. Access Policy Manager then configures the SP connector.
- From template - Use templates that Access Policy Manager provides for some vendors; for
example, Google. The advantages to this method are that:
- Most required data is included in the template
- Additional required data is minimal. You can obtain it and certificates from the vendor
- Custom - Obtain information from the vendor and type the settings into the Configuration utility. To use this method, you must also obtain certificates from the vendor and import them into the BIG-IP system. Use this method when a metadata file or a template for an SP connector is not available.
Task summary
Setting up a BIG-IP system as a SAML identity provider (IdP) system involves two major activities:
- First, you set up connection from the BIG-IP system to the external SAML service providers (SPs)
- Then, you set up connection from the external SAML SPs to the BIG-IP system
Task list
Flowchart: Configuration to support SP-initiated connections only
This flowchart illustrates the process for configuring a BIG-IP system as a SAML identity provider (IdP) without providing an SSO portal.
Creating a virtual server for a BIG-IP (as SAML IdP) system
Configuring SAML SP connectors
Configuring a SAML IdP service
Binding a SAML IdP service to multiple SP connectors
Exporting SAML IdP metadata from APM
Creating an access profile associated with the SAML IdP service
Configuring an access policy to provide authentication from the local IdP
Access policy to provide authentication for SAML service providers when this BIG-IP system is the IdP
Adding the access profile to the virtual server
You associate the access profile with the virtual server so that Access Policy Manager can apply the profile to incoming traffic.
Adding IdP metadata from APM to external SAML SPs
- Import the SAML IdP metadata file that you exported from APM for the SAML IdP service that this service provider uses.
- Or take information from the SAML IdP metadata file that you exported
from APM for the SAML IdP service and add it to the service provider using
the vendor's interface. Pay particular attention to the values for entityID,
AssertionConsumerService, SingleSignOnService, and the certificate.Note: Regardless of the value of entityID in the metadata file, type an SSO URI that consists of the virtual server host and /saml/idp/profile/redirectorpost/sso. For example, if the host virtual server is https://Bigip-idp, type: https://Bigip-idp/saml/idp/profile/redirectorpost/sso