Manual Chapter : Using APM as a SAML Service Provider

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Manual Chapter

About configuration requirements for APM as a SAML service provider

For Access Policy Manager to act as a SAML service provider (SP), you must create this configuration.

  • SAML SP service - One.
  • SAML Identity Provider (IdP) connectors - One or more.
  • An SSL certificate and key from each SAML IdP, imported into the store on the BIG-IP system.
  • An access profile.
  • An access policy that includes the SAML Auth agent.
  • A virtual server that assigns the access profile.

About local SP service

A SAML SP service is a type of AAA service in Access Policy Manager (APM ). It requests authentication from an external SAML Identity Provider (IdP) that is specified on APM in a SAML IdP connector. (You bind a SAML service provider (SP) service to one or more SAML IdP connectors.) APM requests authentication from an IdP and consumes assertions from it to allow access to resources behind APM.

About SAML IdP discovery

On a BIG-IP system that you use as a SAML service provider (SP), you can bind an SP service to one or more SAML Identity Provider (IdP) connectors (each of which specifies an external IdP). When you bind an SP service to multiple IdP connectors, Access Policy Manager chooses the correct IdP connector at run time through a filtering and matching process called IdP discovery.

Scenario

You might bind multiple IdP connectors to an SP service on the BIG-IP system when you must provide services to different businesses and universities, each of which specifies an IdP to identify their users. When the user's information arrives at the SP service on the BIG-IP system, the SP service identifies the correct IdP and redirects the user to authenticate against that IdP before the SP service provides access to the service.

Note: The SP service performs IdP discovery for a user only when the user initiates connection from an SP.

Session variables and the typical access policy for BIG-IP system as SP

On a BIG-IP system configured as an SP, the typical access policy presents a logon page to the user. The Logon Page action populates session variables. You can customize the Logon Page action and affect session variable values. A SAML Auth action follows the logon page.

Example typical access policy on BIG-IP system as SAML SP

A SAML Auth action specifies an SP service. An SP service is an AAA service that requests authentication from an external IdP (specified in an IdP connector).

Session variables and SAML IdP discovery

Among multiple IdP connectors, the BIG-IP system must discover the correct external IdP with which to authenticate a user. For IdP discovery to work, you must specify matching criteria, a session variable name and value, for each IdP connector.

For example, users of a service might go to a particular landing page. When you bind the IdP connector, for the external IdP that serves those users, to the SP service, select the %{session.server.landinguri} session variable and supply a landing path value, such as, /south*. For users going to URLs such as https://sp-service/southwest and https://sp-service/southeast, the SP service selects the same IdP to authenticate them.

Logon Page action customization

These are some common customization examples for the Logon Page action.

Example typical access policy on BIG-IP system as SAML SP Setting the value of session.logon.last.domain variable to the domain name only
Select Yes for Split domain from full Username. The Logon Page agent takes the user name, such as joe@office.com, that was entered and creates the following session variables with these values.
Session Variable Value
%{session.logon.last.username} joe
%{session.logon.last.domain} office.com
%{session.logon.last.logonname} joe@office.com
Example typical access policy on BIG-IP system as SAML SP Obtaining and email address as the username
Change the prompt for the first field (username field). To omit the password, select Type none.

About IdP connectors

An IdP connector specifies how a BIG-IP system, configured as a SAML service provider (SP), connects with an external SAML identity provider (IdP).

About methods for configuring SAML IdP connectors in APM

You can use one or more of these methods to configure SAML identity provider (IdP) connectors in Access Policy Manager (APM).

  • From metadata - Obtain a metadata file from the vendor and import it into APM. The advantage to this method is that the vendor provides all required data, including the certificate. You can complete the configuration by simply typing a unique name for the identity provider, and browsing to and importing the file. APM imports the certificate to the BIG-IP system and configures the SAML IdP connector.
  • From template - Use templates that APM provides for some vendors. The advantages to this method are that:
    • Most required data is included in the template. (Note that the certificate is not included.)
    • Additional required data is minimal and is available from the vendor.
    APM configures the SAML IdP connector. You must obtain a certificate from the vendor and import it into the BIG-IP system.
  • Custom - Research the identity provider requirements and type all settings into the Configuration utility. Use this method when a metadata file or a template for an identity provider is not available. APM configures the SAML IdP connector. You must obtain a certificate from the vendor and import it into the BIG-IP system.
  • IdP Automation - Provide files with cumulative IdP metadata on remote systems, then configure BIG-IP IdP automation to poll the files periodically and create IdP connectors and bind them to a specific service provider (SP) service.

Task summary

Setting up a BIG-IP system as a SAML service provider (SP) involves two activities:

  • First, you set up one BIG-IP system as a SAML service provider (SP) system
  • Then, you go to one or more external SAML identity provider (IdP) systems and set up connectivity to the SP system

Task list

Configuring a custom SAML IdP connector

Configure a SAML IdP connector so that Access Policy Manager (APM) (as a SAML service provider) can send authentication requests to this IdP, relying on it to authenticate users and to provide access to resources behind APM.
  1. On the Main tab, click Access Policy > SAML > BIG-IP as IdP. The BIG-IP as IdP screen opens and displays a list of local IdP services.
  2. On the menu bar, click External IdP Connectors. A list of SAML IdP connectors displays.
  3. Click Create > Custom. The Create New IdP Connector screen opens.
  4. In the Name field, type a unique name for the SAML IdP connector.
  5. In the IdP Entity ID field, type a unique identifier for the IdP. This is usually a URI. Obtain this value from the vendor.
  6. From the left pane, select Endpoint Settings. The screen changes to display the applicable settings.
  7. In the Single Sign On Service URL field, type the location on the IdP where APM should send authentication requests.
  8. Optional: From the Single Sign On Service Binding field, select how APM should send authentication requests to the IdP:
    • POST (the default value)
    • Redirect
  9. From the left pane, select Assertion Settings.
  10. From Identity Location, select where to find the principal (usually, this is a user) to be authenticated:
    • Subject - In the subject of the assertion. This is the default setting.
    • Attribute - In an attribute. If selected, the Identity Location Attribute field displays and you must type an attribute name into it.
      Note: If the assertion from the IdP does not include this attribute, the BIG-IP system (as SP) does not accept the assertion as valid.
  11. Select Security Settings from the left pane.
    1. Optional: Select a setting from the Must be signed list. The default setting is No. The setting indicates whether APM must sign the authentication requests it sends to this IdP.
    2. From Certificate Settings, select a certificate from the IdP's Assertion Verification Certificate list. The BIG-IP system uses this certificate from the IdP to verify the signature of the assertion from the IdP. If the certificate from the IdP is not in the BIG-IP system store, obtain it and import it into the store. Then edit this IdP connector to select the certificate for it.
  12. Select SLO Service Settings from the left pane.
    1. Optional: In the Single Logout Request URL field, type a URL at the SAML Identity Provider where Access Policy Manager sends the logout request when a service provider initiates a logout.
    2. In the Single Logout Response URL field, type a URL for the SAML Identity Provider where APM sends the logout response when the IdP initiates the logout request.
    Note: APM supports HTTP-POST binding for the SLO service. For SLO to work, all entities (SPs and IdPs) must support SLO.
  13. Click OK. The screen closes.
APM creates a SAML IdP connector. It is available to be attached to a SAML SP service.

Creating a virtual server for a BIG-IP (as SAML SP) system

Before you start this task, configure a client SSL profile and a server SSL profile.
Note: Access Policy Manager supports using a non-SSL virtual server for the BIG-IP system (as SP). However, we highly recommend using an SSL virtual server for security reasons. The following procedure includes steps that are required for configuring an SSL virtual server. These are: selecting client and server SSL profiles and setting the service port to HTTPS.
Specify a host virtual server to use as the SAML SP.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the Create button. The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address field, type the IP address for a host virtual server. This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address.
  5. In the Service Port field, type 443 or select HTTPS from the list.
  6. For the HTTP Profile setting, verify that the default HTTP profile, http, is selected.
  7. For the SSL Profile (Client) setting, from the Available list, select the name of the Client SSL profile you previously created, and using the Move button, move the name to the Selected list.
  8. For the SSL Profile (Server) setting, from the Available list, select the name of the Server SSL profile you previously created, and using the Move button, move the name to the Selected list.
  9. Click Finished.
The virtual server for the BIG-IP system configured as an SP now appears on the Virtual Server List. The virtual server destination is available for use in a SAML SP service configuration.

Configuring a SAML SP service

Configure a SAML SP service for Access Policy Manager to provide AAA authentication, requesting authentication and receiving assertions from a SAML IdP.
  1. On the Main tab, click Access Policy > SAML > BIG-IP as IdP. The BIG-IP as IdP screen opens and displays a list of local IdP services.
  2. Click Create. The Create New SAML SP Service screen opens.
  3. In the Name field, type a unique name for the SAML SP service.
  4. In the Entity ID field, type a unique identifier for the service provider that includes the URI that points to the virtual server with the BIG-IP system and a unique path. For example, if you type https://bigip-sp/sp, then https:/bigip-sp points to the virtual server you use for APM as a SAML service provider and "/sp" is a unique string that APM uses to distinguish one service provider from another on this BIG-IP system.
    Note: The path is not a physical path on the BIG-IP system, but a string that distinguishes one SAML SP service from another when multiple SAML SP services are configured on this BIG-IP system.
  5. Optional: In the Relay State field, type a value. The value can be an absolute path, such as hr/index.html or a URI, such as https://www.abc.com/index.html. It is where the service provider redirects users after they are successfully authenticated and have been allowed by the access policy. When APM receives the relay state from the Identity Provider in addition to assertion, then it uses the value received from the IdP to redirect the user. Otherwise, APM uses the value from this configuration.
  6. Click Endpoint Settings from the left pane. The Assertion Consumer Service Binding list displays.
    1. Select either Artifact or POST.
  7. From the left pane, select Security Settings. The screen changes to display the applicable settings.
    1. Select Signed Authentication Request if you want this BIG-IP system to send signed authentication requests to the SAML IdP.
    2. Select Want Encrypted Assertion if this BIG-IP system requires encrypted assertions from the SAML IdP.
    3. Select Want Signed Assertion if the BIG-IP service provider system requires signed assertions from the SAML IdP. This is selected by default. It is recommended that it be selected.
    4. From SP's Authentication Signing/Assertion Decryption Private Key, select a key from the BIG-IP system store on this device. You can select a private key only when you select at least one of these check boxes: Signed Authentication Request and Want Encrypted Assertion. APM uses this private key to sign the authentication request to the IdP and to decrypt an encrypted assertion from the IdP.
    5. From SP Certificate, select a certificate. APM includes this certificate in the SAML SP metadata that you export. After the SAML SP metadata is imported on the IdP, the IdP can use this certificate to verify a signed authentication request and to encrypt an assertion.
  8. Click OK. The screen closes.
APM creates the SAML SP service. It is available to bind to SAML IdP connectors and to export to a metadata file.

Binding a SAML SP service to SAML IdP connectors

Select a SAML SP service and bind one or more SAML IdP connectors to it so that this device (BIG-IP system as a SAML service provider) can request authentication from the appropriate external IdP.
Note: If you bind this SP service to more than one IdP connector, you must configure matching criteria for each IdP connector. When users initiate connections at service providers, the BIG-IP system uses matching criteria to identity the correct IdP among many using SAML IdP discovery.
  1. On the Main tab, click Access Policy > SAML > BIG-IP as IdP. The BIG-IP as IdP screen opens and displays a list of local IdP services.
  2. Select a SAML SP service from the list.
  3. Click Bind/Unbind IdP Connectors. A pop-up screen displays a list of any IdP connectors that are associated with this SP service.
  4. To add an SAML IdP connector to the list, click Add New Row.
  5. To bind only one IdP connector with this SP service, complete the configuration:
    1. Select a connector from the SAML IdP Connectors list in the new row. When you bind only one IdP connector to an SP service, you do not need to fill in the Matching Source and Matching Value fields.
    2. Click the Update button. The configuration is not saved until you click OK.
    3. Click OK. APM saves the configuration. The screen closes.
  6. To bind multiple IdP connectors with this SP service, complete the configuration:
    1. Select a connector from the SAML IdP Connectors list in the new row.
    2. In the Matching Source column, select or type the name of a session variable. Use a session variable only if it is populated in the access policy before the SAML Auth action. For example, select %{session.server.landinguri} or type %{session.logon.username}.
    3. In the Matching Value column, type a value. The value can include the asterisk (*) wild card. For example, type *hibb* or south* .
    4. Click the Update button. The configuration is not saved until you click OK.
    5. To add other IdP connectors, start by clicking Add New Row, fill the new row, and end by clicking Update.
    6. Click OK. APM saves the configuration. The screen closes.
The SAML IdP connectors that you selected are bound the SAML SP service.

Exporting SAML SP metadata from APM

You need to convey the SP metadata from APM to the external SAML IdP that provides authentication service to this SP. Exporting the SAML SP metadata to a file provides you with the information that you need to do this.
  1. On the Main tab, click Access Policy > SAML > BIG-IP as IdP. The BIG-IP as IdP screen opens and displays a list of local IdP services.
  2. Select an SP service from the list and click Export Metadata. A popup window opens, displaying No on the Sign Metadata list.
  3. For APM to sign the metadata, perform these steps:
    1. Select Yes from the Sign Metadata list.
    2. Select a key from the Signing Key list. APM uses the key to sign the metadata.
    3. Select a certificate from the Signature Verification Certificate list. APM exports the certificate to the metadata file. The system on which you import the metadata file can use the certificate to verify the metadata signature.
  4. Select OK. APM downloads an XML file.
You must either import the XML file on the IdP system or use the information in the XML file to configure SP metadata on the IdP system .

Configuring an access policy to authenticate with an external SAML IdP

Before you start this task, configure an access profile.
When you use this BIG-IP system as a SAML service provider (SP), configure an access policy to direct users to an external SAML Identity Provider (IdP) for authentication .
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. In the Access Policy column, click the Edit link for the access profile you want to configure. The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) icon anywhere in the access policy to add a new action item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. On the Authentication tab, select SAML Auth and click the Add Item button. The SAML Auth properties window opens.
  5. In the SAML Authentication SP area from the AAA Server list, select a SAML SP service and click Save. The Access Policy window displays.
  6. Add any additional actions that you require to complete the policy.
  7. Change the Successful rule branch from Deny to Allow and click the Save button.
  8. At the top of the window, click the Apply Access Policy link to apply and activate your changes to this access policy.
  9. Click the Close button to close the visual policy editor.
You have an access policy that uses SAML authentication against an external SAML IdP and further qualifies the resources that a user can access.

Simple access policy to authenticate users against an external SAML IdP

Example access policy for SAML IdP-initiated connection
To put the access policy into effect, you must attach it to a virtual server.

Adding the access profile to the virtual server

You associate the access profile with the virtual server so that Access Policy Manager can apply the profile to incoming traffic.

  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. In the Access Policy area, from the Access Profile list, select the access profile that you configured earlier.
  4. Click Update to save the changes.
Your access policy is now associated with the virtual server.

Adding SAML SP metadata from APM to an external SAML IdP

To complete the agreement between APM as the SAML service provider and a SAML IdP, you must configure service provider metadata at the IdP.
Note: The method for configuring SAML service provider metadata at a SAML IdP will vary by vendor.
Using the method that the vendor provides, either:
  • Import the SAML SP metadata file that you exported from APM for a SAML SP service that is bound to the SAML IdP connector for this IdP.
  • Or take information from the SAML SP metadata file that you exported from APM and add it using the vendor's interface. Pay particular attention to the values for entityID, AssertionConsumerService, and the certificate.
    Note: Typically, the value of AssertionConsumerService is a URL that looks like this: https://bigip-sp-vs/saml/sp/profile/post/acs.