Forum Discussion
Nick_Aslanidis_
Nimbostratus
NimbostratusAWS federation using F5 APM and SAML
It would seem that for just about every other IdP out there there is detailed information for configuration SSO with AWS however I have really struggled to find detailed information on this for F5 AP...
I know this is a little late but take a look at https://devcentral.f5.com/articles/configuration-example-big-ip-apm-as-saml-idp-for-amazon-web-services and let me know if you have any questions.
Nick_Aslanidis_Nimbostratus
NimbostratusHi Robert. Thanks for that, that's excellent and I really appreciate it. There really isn't a lot of information out there on this and as I'm fairly new to both AWS and APM it was proving a little difficult.
I have made progress and do now have it working along the lines of what you've done in your example. In fact your way is a little nicer when it comes to the VPE so I will modify my policy today to simplify it a bit. The only issue that remains for me is handling people who may be in more than one AD group and thus need to be able to access more than one role. The AWS console handles it nicely in that if you have access to more than one role you get the option to choose. I am trying to replicate that with the SAML assertions but it's difficult with the way the multi-valued attributes work. The only way I could see it working was if there's a way to add or remove attribute values based on a group membership. I haven't as of yet found a way to do that yet but if you know of any way of potentially doing that. If not thanks for your assistance anyway.
Nick.
