For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Nifford's avatar
Nifford
Icon for Nimbostratus rankNimbostratus
Jan 25, 2016

Multiple F5 IdPs on One Access Profile w/IdP and SP-Initiated Logon

Here is my scenario:   I have multiple external SAML services that we need the F5s to function as an IdP for. The F5s need to support both IdP and SP initiated authentication to all of the externa...
BIG-IP Access Policy Manager (APM)
cloud
saml
Michael_Koyfma1's avatar
Michael_Koyfma1
Icon for Cirrus rankCirrus
Jan 25, 2016

I think there is some confusion there. Have you seen this part of the documentation?

 

https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/28.html

 

If you want to support SP and IDP-initiated connections, then you need to create SAML Resource objects and assign them to the webtop. So, the best practice setup for you would be to create unique IDP object per each SP you have(the entity ID can be the same/redundant across all IDP configs), then bind each IDP and SP connector together, create SAML Resource object, and assign all SAML resource objects to the webtop.

 

After that, you should have both SP and IDP-initiated logins work without issues - do not assign anything to the SSO at the Access Profile level in order for this work.