Forum Discussion

MC_273315's avatar
MC_273315
Icon for Cirrus rankCirrus
Jul 19, 2016

APM SP connections - Subject Types

Here is a general question on the functionality of the F5 APM module; we have been testing out SSO connections such as WebEx, ShareFile, (SP initiated). The original idea was to share or reuse the in...
BIG-IP Access Policy Manager (APM)
security
  • Michael_Koyfman's avatar
    Michael_Koyfman
    Jul 19, 2016

    If I understand you right, I think you might be under misconception about how SAML IDP configuration works on the BIG-IP. You can certainly have multiple IDP/SP bindings configured on the same virtual server. To fully visualize how it happens, I suggest you leverage this iApp to setup your initial federation with a couple of SaaS apps and take a look at the config it creates - should hopefully be self-explanatory after that. :) If not, fire away your questions here.

     

    https://devcentral.f5.com/codeshare/saas-federation-iapp

     

Michael_Koyfman's avatar
Michael_Koyfman
Icon for Cirrocumulus rankCirrocumulus
Jul 19, 2016

If I understand you right, I think you might be under misconception about how SAML IDP configuration works on the BIG-IP. You can certainly have multiple IDP/SP bindings configured on the same virtual server. To fully visualize how it happens, I suggest you leverage this iApp to setup your initial federation with a couple of SaaS apps and take a look at the config it creates - should hopefully be self-explanatory after that. :) If not, fire away your questions here.

 

https://devcentral.f5.com/codeshare/saas-federation-iapp

 

  • MC_273315's avatar
    MC_273315
    Icon for Cirrus rankCirrus
    Jul 19, 2016

    Thanks Michael, I'll check that out.

     

  • MC_273315's avatar
    MC_273315
    Icon for Cirrus rankCirrus
    Jul 20, 2016

    Just to clarify my train of thought, we do have multiple bindings on our (Local IdP Service) which are various SP connectors.

     

    What I'm trying to determine is if there is in fact a 1-to-1 relationship between [Local IdP Service]-[Access Profile]-[Virtual Server]. The Access Profile and Virtual Server have a dropdown which associate to each other. I'd like to create a new [Local IdP Service] and reuse the same [Access Profile] and [Virtual Server]. The new [Local IdP Service] is needed since I need a new Subject Type.

     

    I'll try out that iApp, it is possible I am missing a key configuration piece. Version - BIG-IP 11.5.3 Build 1.0.167 Hotfix HF1

     

    Thanks, Mike

     

  • Michael_Koyfman's avatar
    Michael_Koyfman
    Icon for Cirrocumulus rankCirrocumulus
    Jul 21, 2016

    I hope things will be self-explanatory once you see the config produced by the iApp. The gist is that you do not have to assign the IDP service to Access Profile as the SSO, but rather as SAML Resource in the VPE, and you can have multiple IDP-to-SP mappings assigned there.

     

  • MC_273315's avatar
    MC_273315
    Icon for Cirrus rankCirrus
    Jul 27, 2016

    Thanks, the reference to SAML Resources cleared up the confusion.

     

    1. Created IDPs needed with a single SP Connector binding
    2. Created SAML Resources by choosing the IDP
    3. Set up my single Access Profile that is tied to my main SSO VIP to allow access by valuing LDAP Group Resource Assign or Advanced Resource Assign - when valuing these, the SAML Resource is selected as well as the Webtop, even though I'm not using a Webtop.

    The SP initiated connections now work, just by parsing the list of allowable resources. I've also successfully tied AD groups to the resource list, though a graceful deny is the next challenge.

     

  • Michael_Koyfman's avatar
    Michael_Koyfman
    Icon for Cirrocumulus rankCirrocumulus
    Jul 27, 2016

    Sounds like you're in a good shape, MC. Glad to hear it!