Forum Discussion
NimbostratusAPM SP Initiated workflow IDP
Hi All. I'm building out a new IDP environment on F5 APM. I have one application working but am starting to roll this out for half a dozen more applications which will all be SP initiated. Basically I want users to login to say https://test.test.com which would be an external SP from a business partner. They would then be redirected to my IDP and login with their AD credentials. I would have say 10 different SP initiated applications, and all redirect to a different IDP, but use the same virtual server and access-profile. Can you do this?
1) I'm struggling with one application that needs to use the UPN or e-mail address and pass that through to an external SP. The user is logging into the IDP with their AD credentials, but I need to grab the UPN or email and pass that to the SP and not the AD credentials. 2) How do I have the user go directly to the SAML resource without having the click on the icon listed on the webtop?
3) If I have one virtual server, with one access policy, how does the access policy keep track of having say 10 idp and 10 sp connectors and which resource to send users to?> I guess my question is, can you have multiple IDP'S and SP connectors under one single virtual server? I have read several of the documents but they seem to be very basic and not cover the in-depth configurations.
Thanks, any help would be appreciated.
12 Replies
Michael_Koyfma1Cirrus
Jason,
Please see below:
1) I'm struggling with one application that needs to use the UPN or e-mail address and pass that through to an external SP. The user is logging into the IDP with their AD credentials, but I need to grab the UPN or email and pass that to the SP and not the AD credentials.
Each app should have unique IDP-to-SP mapping in the APM config. That also gives you flexibility to define unique IDP configs and respond with different values in SAML assertion to the SP. For your example, you would want to do AD Query in the Access Policy after AD Auth, and it will pull all relevant user attributes from AD and you will be able to select the right attribute to be passed to SP in the SAML assertion.
2) How do I have the user go directly to the SAML resource without having the click on the icon listed on the webtop?
You would go straight to SP, and it should redirect you to the APM as IDP, you would authenticate, and it should send an assertion right back to the application without showing webtop to the user.
3) If I have one virtual server, with one access policy, how does the access policy keep track of having say 10 idp and 10 sp connectors and which resource to send users to?> I guess my question is, can you have multiple IDP'S and SP connectors under one single virtual server? I have read several of the documents but they seem to be very basic and not cover the in-depth configurations.
Absolutely! APM distinguishes between them by virtue of bindings, so as you bind an IDP config to SP connector, it treats it as an application. Then you create a SAML Resource object and assign it to the policy via VPE - so in your case, you would create 10 SAML Resource objects and assign them via Advanced Resource Assignment VPE object to the policy.
Hope this helps you move forward with this.
Jason_L_40779Thanks Michael. For some reason a couple of things are happening. First off, in my SP initiated SAML request, the user logs into an external website, the business partner's SP redirects the user to my idp, user gets prompted for their AD username and password. They enter their credentials, and they are still seeing the webtop and all of the icons for the multiple SAML resources. They can click on the webtop, but I want this to be invisible if you will to the user. Also, I want a user to enter in their AD credentials, but have the User Principal name or email address in our case, to the SP for one of the SPS. Right now, it's only sending the AD username. Where it gets confusing, each customer might have a different assertion type. Being i'm using one vip and can only use one access policy per vip, How does one access policy work for multiple saml resources and assertion types when they can be different. My ad auth would take the user principal name and send it, but that might break it for others using the same access policy. My access policy looks like this. start>logonPage>Ad Auth>Ad Query>Advanced Resource Assign>Allow THe Advanced resource assign has a full webtop, and two SAML resources. Thanks again.
Daniel_VarelaEmployee
Hi Jason, I think this reference explain all you need to configure in your APM as IDP no SSO portal (or IdP for SP-initiated connections only) : https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/29.html?sr=52957930. Hope this helps!- Jason_L_40779I removed the webtop and built the access policy to where it looks like this. start>logon page>ad auth>Allow according to the documentation in the above SP initiated document, and now I get this error below. When I add the webtop and use IDP initiated, it appears to work. But again, I want users to have SP initiated and get redirected and see no webtop. SSOv2 Error(16) Unable to find SAML SSO/SP Connector object matching SAML Authn Request
Michael_KoyfmanCirrocumulus
Jason,
Please see below:
1) I'm struggling with one application that needs to use the UPN or e-mail address and pass that through to an external SP. The user is logging into the IDP with their AD credentials, but I need to grab the UPN or email and pass that to the SP and not the AD credentials.
Each app should have unique IDP-to-SP mapping in the APM config. That also gives you flexibility to define unique IDP configs and respond with different values in SAML assertion to the SP. For your example, you would want to do AD Query in the Access Policy after AD Auth, and it will pull all relevant user attributes from AD and you will be able to select the right attribute to be passed to SP in the SAML assertion.
2) How do I have the user go directly to the SAML resource without having the click on the icon listed on the webtop?
You would go straight to SP, and it should redirect you to the APM as IDP, you would authenticate, and it should send an assertion right back to the application without showing webtop to the user.
3) If I have one virtual server, with one access policy, how does the access policy keep track of having say 10 idp and 10 sp connectors and which resource to send users to?> I guess my question is, can you have multiple IDP'S and SP connectors under one single virtual server? I have read several of the documents but they seem to be very basic and not cover the in-depth configurations.
Absolutely! APM distinguishes between them by virtue of bindings, so as you bind an IDP config to SP connector, it treats it as an application. Then you create a SAML Resource object and assign it to the policy via VPE - so in your case, you would create 10 SAML Resource objects and assign them via Advanced Resource Assignment VPE object to the policy.
Hope this helps you move forward with this.
- Jason_L_40779Thanks Michael. For some reason a couple of things are happening. First off, in my SP initiated SAML request, the user logs into an external website, the business partner's SP redirects the user to my idp, user gets prompted for their AD username and password. They enter their credentials, and they are still seeing the webtop and all of the icons for the multiple SAML resources. They can click on the webtop, but I want this to be invisible if you will to the user. Also, I want a user to enter in their AD credentials, but have the User Principal name or email address in our case, to the SP for one of the SPS. Right now, it's only sending the AD username. Where it gets confusing, each customer might have a different assertion type. Being i'm using one vip and can only use one access policy per vip, How does one access policy work for multiple saml resources and assertion types when they can be different. My ad auth would take the user principal name and send it, but that might break it for others using the same access policy. My access policy looks like this. start>logonPage>Ad Auth>Ad Query>Advanced Resource Assign>Allow THe Advanced resource assign has a full webtop, and two SAML resources. Thanks again.
- Daniel_VarelaHi Jason, I think this reference explain all you need to configure in your APM as IDP no SSO portal (or IdP for SP-initiated connections only) : https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/29.html?sr=52957930. Hope this helps!
- Jason_L_40779I removed the webtop and built the access policy to where it looks like this. start>logon page>ad auth>Allow according to the documentation in the above SP initiated document, and now I get this error below. When I add the webtop and use IDP initiated, it appears to work. But again, I want users to have SP initiated and get redirected and see no webtop. SSOv2 Error(16) Unable to find SAML SSO/SP Connector object matching SAML Authn Request
