Forum Discussion

kj07208_118528's avatar
kj07208_118528
Icon for Cirrus rankCirrus
Oct 16, 2013

SAML IdP - Can you have one APM support multiple SAML IdPs?

We have setup one vip and one APM that we want to use for all SAAS logins. We are currently federating with about four saas cloud vendors (Salesforce, box, and others). I don't want to create mult...
BIG-IP Access Policy Manager (APM)
f5 apm
idp
saml
security
  • travis99_94012's avatar
    travis99_94012
    Oct 17, 2013

    Yes, you can have multiple IdPs setup for one virtual server. We have 3 right now. In the access policy, after authentication, I have one webtop and the 3 SAML resources. Works just fine SP initiated.

     

HoneyBadgerIT_1's avatar
HoneyBadgerIT_1
Icon for Nimbostratus rankNimbostratus

I am trying to do this and also be able to assign the SAML resource depending on what AD security group they are in. For instance I have three IdP's (webex, box, salesforce) and they all use the same VIP and all three resources on the same webtop as described above.

 

I am trying to figure out how I would determine the incoming IdP Entity ID perhaps, to then check if they are in the correct AD security group and then assign the correct SAML resource.

 

Sergi_Munyoz_24's avatar
Sergi_Munyoz_24
Icon for Nimbostratus rankNimbostratus
Mar 27, 2017

If I understand correctly, you can do this with successive advanced resource assign on the vpe, or ad group resource assign (can't remember if it allows assign SAML resources) I mean chained AD Group or Advanced Resource Assign. On the first assign webtop to everybody, then fallback to another that assigns first saml Resource with conditions, fallback to second and so on With this config is indifferent if idp or sp initiated. Webtop will not show links but if sp initiated will not allow access