Applies To:
Show VersionsBIG-IP APM
- 13.1.5, 13.1.4
Overview: Federating BIG-IP systems for SAML SSO (without an SSO portal)
In a federation of BIG-IP® systems, one BIG-IP system acts as a SAML Identity Provider (IdP) and other BIG-IP systems act as SAML service providers (SPs).
This configuration supports:
- Only those connections that initiate at a service provider.
- Only service providers that accept assertions with similar subject type, attributes, and security settings.
About SAML IdP discovery
On a BIG-IP® system that you use as a SAML service provider (SP), you can bind an SP service to one or more SAML Identity Provider (IdP) connectors (each of which specifies an external IdP). When you bind an SP service to multiple IdP connectors, Access Policy Manager® chooses the correct IdP connector at run time through a filtering and matching process called IdP discovery.
Scenario
You might bind multiple IdP connectors to an SP service on the BIG-IP system when you must provide services to different businesses and universities, each of which specifies an IdP to identify their users. When the user's information arrives at the SP service on the BIG-IP system, the SP service identifies the correct IdP and redirects the user to authenticate against that IdP before the SP service provides access to the service.
Session variables and the typical access policy for BIG-IP system as SP
On a BIG-IP system configured as an SP, the typical access policy presents a logon page to the user. The Logon Page action populates session variables. You can customize the Logon Page action and affect session variable values. A SAML Auth action follows the logon page.
A SAML Auth action specifies an SP service. An SP service is an AAA service that requests authentication from an external IdP (specified in an IdP connector).
Session variables and SAML IdP discovery
Among multiple IdP connectors, the BIG-IP system must discover the correct external IdP with which to authenticate a user. For IdP discovery to work, you must specify matching criteria, a session variable name and value, for each IdP connector.
For example, users of a service might go to a particular landing page. When you bind the IdP connector, for the external IdP that serves those users, to the SP service, select the %{session.server.landinguri} session variable and supply a landing path value, such as, /south*. For users going to URLs such as https://sp-service/southwest and https://sp-service/southeast, the SP service selects the same IdP to authenticate them.
Logon Page action customization
These are some common customization examples for the Logon Page action.
Setting the value of session.logon.last.domain variable to the domain name only
Session Variable | Value |
---|---|
%{session.logon.last.username} | joe |
%{session.logon.last.domain} | office.com |
%{session.logon.last.logonname} | joe@office.com |
Obtaining and email address as the username
About local IdP service
A SAML IdP service is a type of single sign-on (SSO) authentication service in Access Policy Manager® (APM®). When you use a BIG-IP® system as a SAML identity provider (IdP), a SAML IdP service provides SSO authentication for external SAML service providers (SPs). You must bind a SAML IdP service to SAML SP connectors, each of which specifies an external SP. APM responds to authentication requests from the service providers and produces assertions for them.
About SP connectors
A SAML service provider connector (an SP connector) specifies how a BIG-IP® system, configured as a SAML Identity Provider (IdP), connects with an external service provider.
What are the available ways I can configure a SAML SP connector?
You can use one or more of these methods to configure SAML service provider (SP) connectors in Access Policy Manager®.
- From metadata - Obtain a metadata file from the vendor and import it into Access Policy Manager. The advantage to this method is that the vendor provides the majority of all required data, including certificates. You can complete the configuration by simply typing a unique name for the SP connector, a very few additional required fields, and browsing to and importing the file. Access Policy Manager then configures the SP connector.
- From template - Use templates that Access Policy Manager provides for some vendors; for
example, Google. The advantages to this method are that:
- Most required data is included in the template
- Additional required data is minimal. You can obtain it and certificates from the vendor
- Custom - Obtain information from the vendor and type the settings into the Configuration utility. To use this method, you must also obtain certificates from the vendor and import them into the BIG-IP® system. Use this method when a metadata file or a template for an SP connector is not available.
About local SP service
A SAML SP service is a type of AAA service in Access Policy Manager® (APM® ). It requests authentication from an external SAML Identity Provider (IdP) that is specified on APM in a SAML IdP connector. (You bind a SAML service provider (SP) service to one or more SAML IdP connectors.) APM requests authentication from an IdP and consumes assertions from it to allow access to resources behind APM.
About IdP connectors
An IdP connector specifies how a BIG-IP® system, configured as a SAML service provider (SP), connects with an external SAML identity provider (IdP).
About methods for configuring SAML IdP connectors in APM
You can use one or more of these methods to configure SAML identity provider (IdP) connectors in Access Policy Manager® (APM®).
- From metadata - Obtain a metadata file from the vendor and import it into APM. The advantage to this method is that the vendor provides all required data, including the certificate. You can complete the configuration by simply typing a unique name for the identity provider, and browsing to and importing the file. APM imports the certificate to the BIG-IP® system and configures the SAML IdP connector.
- From template - Use templates that APM provides for some vendors. The advantages to this
method are that:
- Most required data is included in the template. (Note that the certificate is not included.)
- Additional required data is minimal and is available from the vendor.
- Custom - Research the identity provider requirements and type all settings into the Configuration utility. Use this method when a metadata file or a template for an identity provider is not available. APM configures the SAML IdP connector. You must obtain a certificate from the vendor and import it into the BIG-IP system.
- IdP Automation - Provide files with cumulative IdP metadata on remote systems, then configure BIG-IP IdP automation to poll the files periodically and create IdP connectors and bind them to a specific service provider (SP) service.
Task summary
Setting up SAML federation for BIG-IP® systems involves three major activities:
- First, you set up one BIG-IP system as a SAML identity provider (IdP) system
- Next, you set up one or more BIG-IP systems as a SAML service provider (SP)
- Last, you go back to the IdP system and set up connectivity to the SP systems
Task list
Flowchart: BIG-IP system federation configuration
This flowchart illustrates the process for configuring BIG-IP® systems in federation without providing an SSO portal.