For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ingebrigt_Maurs's avatar
Ingebrigt_Maurs
Icon for Nimbostratus rankNimbostratus
Oct 27, 2014

IDP initiated binding with APM as SP

Hi!   I have a working setup with APM as Service Provider, using SP-initiated binding.   Now I have an IDP that wants to use IDP-initiated binding, but I am unable to find good documentation fo...
BIG-IP Access Policy Manager (APM)
security
Michael_Koyfma1's avatar
Michael_Koyfma1
Icon for Cirrus rankCirrus
Oct 27, 2014

Configuring External IDP connector should be fairly simple. Every SAML provider should be able to export its config via metadata. You should export your IDP config via Metadata and then choose Import as the method for creating an IDP connector.

 

There is one key difference in enabling IDP-initiated assertions work, you need to specify a RelayState value in the SP SAML configuration field. Check out this page:

 

https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-saml-config-guide-11-3-0/4.html

 

Specifically, on the Relay State:

 

Optional: In the Relay State field, type a value. The value can be an absolute path, such as hr/index.html or a URI, such as https://www.abc.com/index.html. It is where the service provider redirects users after they are successfully authenticated and have been allowed by the access policy. When APM receives the relay state from the Identity Provider in addition to assertion, then it uses the value received from the IdP to redirect the user. Otherwise, APM uses the value from this configuration.