APM SAML - Whats the best way to have multiple IDPs using one VIP

Natively you can assign the IdP (SSO objects) to individual SAML resources, and then add those SAML resources to a full resource assignment object in the visual policy. You could also technically switch between the SSO objects with an iRule and WEBSSO::select operation.

I had the same question a couple of weeks ago check out the answers here https://devcentral.f5.com/questions/saml-idp-can-you-have-one-apm-support-multiple-saml-idps

Basically you might just need a webtop - which sounds wierd but it worked for me.

Ya but, a web top isn't the look and feel we want.. The goal is for the process to be seamless

We're in a similar situation as Wirecutter. We have requirements from marketing to send people directly to the service they are trying to log in to instead of using a webtop.

We use Jive for internal collaboration and they want to be able to create a quicklinks menu in Jive with the URL's to different services that they can get to since they are already authenticated once they get into the Jive site.

We have the users hit the Jive branded URL of ourcompany.jiveon.com, this redirects to the F5 for SSO, then once they log in they have the Jive content along with a Quicklinks area with links for other services. When they click those links they want to be passed straight to the service instead of a webtop or another login.

So essentially they want our Jive instance to be the webtop, but to do that we need to ensure that by being authenticated to the F5 after logging in to Jive they can click straight through to the other services.

Wirecutter, did you ever get a solution for your question?

I didn't find an answer. We ended up working with a Webtop, but we're running into customization options. ( like segmenting SSO links and Regular links )

We reached a middle ground with marketing where they said they could live with a Webtop, but they wanted to embed it in an iFrame to make it part of the experience.

Any help or direction would be wonderful..

I'll need to look into that embedded webtop option. I mentioned it to marketing and they liked the idea. We also have a web designer looking into the CSS on the F5 to see how far we can get modifying the logon pages that are available within the F5.

It's an administrative headache on our end now because some of our IdP's require their own Virtual Server, Access Profile and SSO Config because of the requirements in the assertion. That means we have to duplicate the web components for all of those to trick the user into thinking it's the same webpage they hit so they don't get confused by a different logon experience.

I'll try to remember to post back here as we get further though. I prefer using a webtop since that's a more standard approach with the F5, but branding is a big deal for our folks so it will depend on what they can do with the CSS and other web options inside the F5.

Now with the Web top, I'm using one Access Policy that points to a webtop with AD group driven Links on the webtop. At which point we just create SAML resources that point to IDP objects. That allows us the flexibility for the IDP's need email attributes and others uid attributes.

We just have the one vip for that whole configuration.

I've got another post about embedding the window in an iframe, but no love on that one ether.

https://devcentral.f5.com/questions/webtop-portal-in-an-iframe

I have made some process with this when you create a SAML resource you can use a link like a redirect. We are going to build our portal on SharePoint. I admit its been a tough one but I have done the following.

Created a virtual server - sso.mydomain.com Created a SAML IdP Service - SP External connector from Salesforce to https://sso.mydomain.com/salesforce

Created a SAML Idp Service - SP External conntector from Taleo to https://sso.mydomain.com/salesforce Create SAML Resources for both of these SAML IdP configs Created a webtop because we need this for the Advanced Assignment Assign your virtual server the access policy within the access policy use an advanced assignment and pick the webtop and the saml resources

You can put the following link on your Jive or SharePoint in our case page and user we not see the web top portal. Salesforce Login https://sso.mydomain.com/saml/idp/res?id=//saml_idpsvc_salesforce_stg_01

Log out https://sso.mydomain.com/vdesk/hangup.php3

i have a very similar setup to this. how did you get your IDP-initiated saml to not land on the webtop portal? it sounds like i have the same configuration but it never sends me directly to the providers website.

I may have steered you a little wrong in your other thread. The "IdP-initiated without webtop" piece didn't fully sink in. 😉

In any case, that isn't a "supported" configuration, but there is a workaround. With your working IdP-initiated config (resource assignment, SAML resource, webtop), add the following iRule to your IdP VIP:

when ACCESS_POLICY_COMPLETED priority 30 {
    ACCESS::respond 302 Location "/saml/idp/res?id=/Common/saml_resource"
}

where "/Common/saml_resource" is the name of your SAML resource object. It's basically the same thing as actually clicking the link.