F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Michael_Koyfman's avatar
Michael_Koyfman
Icon for Cirrocumulus rankCirrocumulus
Apr 05, 2016

Jason,

 

Please see below:

 

1) I'm struggling with one application that needs to use the UPN or e-mail address and pass that through to an external SP. The user is logging into the IDP with their AD credentials, but I need to grab the UPN or email and pass that to the SP and not the AD credentials.

 

Each app should have unique IDP-to-SP mapping in the APM config. That also gives you flexibility to define unique IDP configs and respond with different values in SAML assertion to the SP. For your example, you would want to do AD Query in the Access Policy after AD Auth, and it will pull all relevant user attributes from AD and you will be able to select the right attribute to be passed to SP in the SAML assertion.

 

2) How do I have the user go directly to the SAML resource without having the click on the icon listed on the webtop?

 

You would go straight to SP, and it should redirect you to the APM as IDP, you would authenticate, and it should send an assertion right back to the application without showing webtop to the user.

 

3) If I have one virtual server, with one access policy, how does the access policy keep track of having say 10 idp and 10 sp connectors and which resource to send users to?> I guess my question is, can you have multiple IDP'S and SP connectors under one single virtual server? I have read several of the documents but they seem to be very basic and not cover the in-depth configurations.

 

Absolutely! APM distinguishes between them by virtue of bindings, so as you bind an IDP config to SP connector, it treats it as an application. Then you create a SAML Resource object and assign it to the policy via VPE - so in your case, you would create 10 SAML Resource objects and assign them via Advanced Resource Assignment VPE object to the policy.

 

Hope this helps you move forward with this.

 

  • Jason_L_40779's avatar
    Jason_L_40779
    Icon for Nimbostratus rankNimbostratus
    Apr 07, 2016
    Thanks Michael. For some reason a couple of things are happening. First off, in my SP initiated SAML request, the user logs into an external website, the business partner's SP redirects the user to my idp, user gets prompted for their AD username and password. They enter their credentials, and they are still seeing the webtop and all of the icons for the multiple SAML resources. They can click on the webtop, but I want this to be invisible if you will to the user. Also, I want a user to enter in their AD credentials, but have the User Principal name or email address in our case, to the SP for one of the SPS. Right now, it's only sending the AD username. Where it gets confusing, each customer might have a different assertion type. Being i'm using one vip and can only use one access policy per vip, How does one access policy work for multiple saml resources and assertion types when they can be different. My ad auth would take the user principal name and send it, but that might break it for others using the same access policy. My access policy looks like this. start>logonPage>Ad Auth>Ad Query>Advanced Resource Assign>Allow THe Advanced resource assign has a full webtop, and two SAML resources. Thanks again.
  • Daniel_Varela's avatar
    Daniel_Varela
    Icon for Employee rankEmployee
    Apr 07, 2016
    Hi Jason, I think this reference explain all you need to configure in your APM as IDP no SSO portal (or IdP for SP-initiated connections only) : https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/29.html?sr=52957930. Hope this helps!
  • Jason_L_40779's avatar
    Jason_L_40779
    Icon for Nimbostratus rankNimbostratus
    Apr 07, 2016
    I removed the webtop and built the access policy to where it looks like this. start>logon page>ad auth>Allow according to the documentation in the above SP initiated document, and now I get this error below. When I add the webtop and use IDP initiated, it appears to work. But again, I want users to have SP initiated and get redirected and see no webtop. SSOv2 Error(16) Unable to find SAML SSO/SP Connector object matching SAML Authn Request
  • Michael_Koyfman's avatar
    Michael_Koyfman
    Icon for Cirrocumulus rankCirrocumulus
    Apr 07, 2016
    This substantiates the issue that I suspected from the beginning - you have something misconfigured. When APM receives a SAML AuthN request, it maps it to the proper IDP config that is assigned to the policy and it is using EntityID value in the SAML AuthN assertion and potentially ACS value in the AuthN request. How did you create the SAML SP connector? Did you import metadata from your SP, or did you create it manually? If manually, then it's very possible you made a typo.
  • Jason_L_40779's avatar
    Jason_L_40779
    Icon for Nimbostratus rankNimbostratus
    Apr 11, 2016
    I was able to get it to work by literally deleting everything, and setting up everything the exact same way. With all the poking around in there, either there was a typo that wasn't noticed, or maybe something got corrupted somewhere. So I have 2 SP initiated connections with an SSO port. One last question, I read in F5's documentation it states listed below Overview: Configuring a BIG-IP system as IdP for SP-initiated connections only Note: A configuration that allows users to initiate connection from service providers (SPs) only, works only when all service providers require the same assertion type, and value, and the same attributes from the IdP. Does this mean, it I have one SP that used UserPrincipalname, and one that users lastlogonname I can't use the same IDP? Is there a way to capture and determining on which SP initiated the request, to user a different assertion type>?