Forum Discussion

SpencerWebb_265's avatar
SpencerWebb_265
Icon for Nimbostratus rankNimbostratus
Jun 26, 2017

Automate SAML logon with external IdP

Hi,

 

I have integrated our Shibboleth IdP with an F5 local SP within APM and authentication is working as expected between the two.

 

As a second stage I was hoping to collect the users logon variables (username/password) with a standard APM logon page and then pass them silently into the external IdP to get that user a SAML token that can then be used to seamlessly access all services configured on that IdP (also potnetially upon establishing an SSLVPN connection)

 

Am I going about this the wrong way?

 

I was hoping not to have to replace the existing IdP as we have 50 or so services configured to use it.

 

Thanks Spence

 

  • Yes, our IdP is local and load balanced by the F5 so one option would be to get F5 to create an SP session and then perform an SSO into the IdP.

    I don´t see how can you do this.If you configure APM as SP then you get th user redirected to the IDP and you loose control at that moment. If the IDP performs SSO by detecting a cookie or authenticates the user by username or passoword that´s not SP business, SP only cares about the assertion coming from the IDP through the user browser/client.

    The irule option I think it can be hard. Anyway it is better if you share a diagram or somthing to clarify a bit what you are trying to do.

  • Hi Daniel,

     

    thanks for getting back to me.

     

    With our Shibboleth install, once I have authenticated into one system via our IdP then if I visit another site configured to point at the IdP (whilst my SAML token is valid) then it will automatically perform the attribute release for that system and log me in without further interaction. It's possible that it's using the cookie method you describe here, I will have to check.

     

    Yes, our IdP is local and load balanced by the F5 so one option would be to get F5 to create an SP session and then perform an SSO into the IdP.

     

    Is it possible to do this via an iRule so that it could be done in the background? The piece I'm missing at the moment is how I could combine the SP request with the SSO action.

     

    Thanks for your help so far.

     

  • Hi Spencer,

     

    I'm not sure if I understood you well. I don't think you can do this easilly or at least as you expect. The SAML assertion is only valid for one SP and its validity is finite (I think F5 idp is 5~10 minutes) so there is no way to get an assertion that will be globally valid between services.

     

    What I have done in some customers using F5 idp is take advance of the domain SSO configuration. When the user is authenticated for first time in the IDP you get a cookie session. The second time you access a SP service and you get redirected to the IDP, as you have the cookie session with you you will be automatically autenticated and a new saml assertion will be provided to the SP, etc.

     

    Apart from this, if I understood well, you are thinking in placing the APM in front of you IDP and do SSO? This may work if you IDP are local.

     

    I hope this shed some light onto your ideas.