F5 as an IdP for ArcGIS Online

Hi ,

from their website I can see that ArcGIS Online supports SP-initiated SAML logins and IDP-initiated SAML logins.

Your BIG-IP APM Limited supports SAML. See here for the limitations of APM Limited: K72971039: BIG-IP APM operations guide | Chapter 2: Licenses

There are two flavours of SSO with SAML, SP-initiated or IdP-initiated login. I guess your customer is aksing you to setup SP-initiated login. The login process for SP-initiated login would look as follows.

1. The user logs in to the Service Provider, in your case ArcGIS Online.
2. The Service Provider uses the browser to redirect the user back to the BIG-IP APM IdP.
3. The BIG-IP APM IdP prompts the user to log in.
4. The system retrieves any required attributes from the user data store to pass on to the Service Provider.
5. The system uses the browser to send the SAML assertion and any required attributes to the Service Provider.

If this is the use case your customer is looking for, then the documentation for such setup you can find here: Manual Chapter : Using APM as a SAML IdP (no SSO portal)

The other use case is IdP initiated login, if you customer is looking for this, then this is the process:

1. The user logs in to the BIG-IP APM IdP and the system directs them to the BIG-IP APM webtop.
2. The user selects the Service Provider, in your case ArcGIS Online.
3. The system retrieves any required attributes from the user data store to pass on to the Service Provider.
4. The system uses the browser to direct the request to the Service Provider, along with the SAML assertion and any required attributes.

And there is also a setup guide: Using APM as a SAML IdP (SSO portal)

KR

Daniel