Applies To:
Show VersionsBIG-IP APM
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
About configuration requirements for APM as a SAML service provider
For Access Policy Manager to act as a SAML service provider (SP), you must create this configuration.
- SAML SP service - One.
- SAML Identity Provider (IdP) connectors - One or more.
- An SSL certificate and key from each SAML IdP, imported into the store on the BIG-IP system.
- An access profile.
- An access policy that includes the SAML Auth agent.
- A virtual server that assigns the access profile.
About local SP service
A SAML SP service is a type of AAA service in Access Policy Manager (APM ). It requests authentication from an external SAML Identity Provider (IdP) that is specified on APM in a SAML IdP connector. (You bind a SAML service provider (SP) service to one or more SAML IdP connectors.) APM requests authentication from an IdP and consumes assertions from it to allow access to resources behind APM.
About SAML IdP discovery
On a BIG-IP system that you use as a SAML service provider (SP), you can bind an SP service to one or more SAML Identity Provider (IdP) connectors (each of which specifies an external IdP). When you bind an SP service to multiple IdP connectors, Access Policy Manager chooses the correct IdP connector at run time through a filtering and matching process called IdP discovery.
Scenario
You might bind multiple IdP connectors to an SP service on the BIG-IP system when you must provide services to different businesses and universities, each of which specifies an IdP to identify their users. When the user's information arrives at the SP service on the BIG-IP system, the SP service identifies the correct IdP and redirects the user to authenticate against that IdP before the SP service provides access to the service.
Session variables and the typical access policy for BIG-IP system as SP
On a BIG-IP system configured as an SP, the typical access policy presents a logon page to the user. The Logon Page action populates session variables. You can customize the Logon Page action and affect session variable values. A SAML Auth action follows the logon page.
A SAML Auth action specifies an SP service. An SP service is an AAA service that requests authentication from an external IdP (specified in an IdP connector).
Session variables and SAML IdP discovery
Among multiple IdP connectors, the BIG-IP system must discover the correct external IdP with which to authenticate a user. For IdP discovery to work, you must specify matching criteria, a session variable name and value, for each IdP connector.
For example, users of a service might go to a particular landing page. When you bind the IdP connector, for the external IdP that serves those users, to the SP service, select the %{session.server.landinguri} session variable and supply a landing path value, such as, /south*. For users going to URLs such as https://sp-service/southwest and https://sp-service/southeast, the SP service selects the same IdP to authenticate them.
Logon Page action customization
These are some common customization examples for the Logon Page action.
Session Variable | Value |
---|---|
%{session.logon.last.username} | joe |
%{session.logon.last.domain} | office.com |
%{session.logon.last.logonname} | joe@office.com |
About IdP connectors
An IdP connector specifies how a BIG-IP system, configured as a SAML service provider (SP), connects with an external SAML identity provider (IdP).
About methods for configuring SAML IdP connectors in APM
You can use one or more of these methods to configure SAML identity provider (IdP) connectors in Access Policy Manager (APM).
- From metadata - Obtain a metadata file from the vendor and import it into APM. The advantage to this method is that the vendor provides all required data, including the certificate. You can complete the configuration by simply typing a unique name for the identity provider, and browsing to and importing the file. APM imports the certificate to the BIG-IP system and configures the SAML IdP connector.
- From template - Use templates that APM provides for some vendors. The advantages to this
method are that:
- Most required data is included in the template. (Note that the certificate is not included.)
- Additional required data is minimal and is available from the vendor.
- Custom - Research the identity provider requirements and type all settings into the Configuration utility. Use this method when a metadata file or a template for an identity provider is not available. APM configures the SAML IdP connector. You must obtain a certificate from the vendor and import it into the BIG-IP system.
- IdP Automation - Provide files with cumulative IdP metadata on remote systems, then configure BIG-IP IdP automation to poll the files periodically and create IdP connectors and bind them to a specific service provider (SP) service.
Task summary
Setting up a BIG-IP system as a SAML service provider (SP) involves two activities:
- First, you set up one BIG-IP system as a SAML service provider (SP) system
- Then, you go to one or more external SAML identity provider (IdP) systems and set up connectivity to the SP system
Task list
Configuring a custom SAML IdP connector
Creating a virtual server for a BIG-IP (as SAML SP) system
Configuring a SAML SP service
Binding a SAML SP service to SAML IdP connectors
Exporting SAML SP metadata from APM
Configuring an access policy to authenticate with an external SAML IdP
Simple access policy to authenticate users against an external SAML IdP
Adding the access profile to the virtual server
You associate the access profile with the virtual server so that Access Policy Manager can apply the profile to incoming traffic.
Adding SAML SP metadata from APM to an external SAML IdP
- Import the SAML SP metadata file that you exported from APM for a SAML SP service that is bound to the SAML IdP connector for this IdP.
- Or take information from the SAML SP metadata file that you exported
from APM and add it using the vendor's interface. Pay particular attention
to the values for entityID, AssertionConsumerService, and the
certificate.Note: Typically, the value of AssertionConsumerService is a URL that looks like this: https://bigip-sp-vs/saml/sp/profile/post/acs.