Forum Discussion

AlexS_yb's avatar
AlexS_yb
Icon for Cirrocumulus rankCirrocumulus
Apr 24, 2021

BIGIP how to handle multiple IDP each with multiple external SP

Hi   So lets say on prem I have a MS AD domain and also a LDAP DB with different usernames/password idp-msad idp-ldap   uri might be /idp/idp-msad /idp/idp-ldap     and I have a f...
BIG-IP Access Policy Manager (APM)
LTM
security
AlexBCT's avatar
AlexBCT
Icon for Cumulonimbus rankCumulonimbus
May 02, 2021

Hi Alex,

 

Normally this behaviour is configured using the Entity ID and ACS (Assertion Consumer Service) under the External SP Connector (Access  ››  Federation : SAML Identity Provider : External SP Connectors). By linking (binding) up the SP connectors with the relevant Local IdP service, you can select if you want to use the AD or the LDAP config.

 

The SP (in your case SAAS-a, SAAS-b etc) will send their unique identifier across to the F5, which will then select the correct SP to use, based on the Entity ID and ACS, and then select the correct IdP config based on its bindings and it should be working! With this, you don't have to worry about multiple domain names or VSes for the selection process. Large scale services use the same trick to identify who's database they need to query when auth requests come in.

 

Hope this helps.