Forum Discussion

kj07208_118528's avatar
kj07208_118528
Icon for Cirrus rankCirrus
Oct 16, 2013

SAML IdP - Can you have one APM support multiple SAML IdPs?

  • We have setup one vip and one APM that we want to use for all SAAS logins.
  • We are currently federating with about four saas cloud vendors (Salesforce, box, and others).
  • I don't want to create multiple virtual servers or APMs but for the APM you can only pick one SSO configuration.
  • Each SAML IdP services shows up as it's own SSO configuration. Will I need to do an iRule to switch between them?
  • Also in the documentation it says that you can have multiple IdP for a virtual server. Current Setup

SAML IdP Connfiguration * IdP Services -> idp_salseforce (bound to sp connector) sp_connector_salesforce * IdP Services -> idp_box (bound to sp connector) sp_connector_box

 

VirtualServer_SSO_SAML -> APM_SSO_SAML -> SSO Configuration -> Only allowed to pick one idp services (this is the problem)

 

BIG-IP Access Policy Manager (APM)
f5 apm
idp
saml
security
  • travis99_94012's avatar
    travis99_94012
    Oct 17, 2013

    Yes, you can have multiple IdPs setup for one virtual server. We have 3 right now. In the access policy, after authentication, I have one webtop and the 3 SAML resources. Works just fine SP initiated.

     

  • moureg16's avatar
    moureg16
    Icon for Cirrus rankCirrus
    Oct 10, 2018

    I’m working on using F5 as a SAML idP and I need to emulate a SaaS as SP. I faced a lack of knowledge a round related to how to create such lab “the application demo” to use it as a SP

     

  • Thrillseeker_12's avatar
    Thrillseeker_12
    Icon for Cirrus rankCirrus
    Jun 08, 2017

    Hi all,

     

    I managed for my SP-initiated setup to assign the SAML SSO-Resource over the Webtop. Works great, but only for one specific IDP config. The question no is, how can I distinguish the different SP's and assigning different SAML SSO Resources via Webtop (single IDP VIP)? I tried with condition Landing-URI but of course this URI is always the same for all SAML communication.

     

    Any ideas?

     

    Thanks Thrillseeker

     

    • Sergi_Munyoz_24's avatar
      Sergi_Munyoz_24
      Icon for Nimbostratus rankNimbostratus
      Jun 08, 2017

      Hi. As far as I can remember you must create as many idp services as sp's you have , and link one to one, no matter idp services are equal. Then create equivalent SAML resources and assign them on vpe with the desired condition (not on SSO part of the access policy). Idp or sp initiated it must work

       

      Hope this helps

       

  • HoneyBadgerIT_1's avatar
    HoneyBadgerIT_1
    Icon for Nimbostratus rankNimbostratus
    Jun 04, 2015

    I am trying to do this and also be able to assign the SAML resource depending on what AD security group they are in. For instance I have three IdP's (webex, box, salesforce) and they all use the same VIP and all three resources on the same webtop as described above.

     

    I am trying to figure out how I would determine the incoming IdP Entity ID perhaps, to then check if they are in the correct AD security group and then assign the correct SAML resource.

     

    • Sergi_Munyoz_24's avatar
      Sergi_Munyoz_24
      Icon for Nimbostratus rankNimbostratus
      Mar 27, 2017

      If I understand correctly, you can do this with successive advanced resource assign on the vpe, or ad group resource assign (can't remember if it allows assign SAML resources) I mean chained AD Group or Advanced Resource Assign. On the first assign webtop to everybody, then fallback to another that assigns first saml Resource with conditions, fallback to second and so on With this config is indifferent if idp or sp initiated. Webtop will not show links but if sp initiated will not allow access

       

    • FI_2016_187929's avatar
      FI_2016_187929
      Icon for Nimbostratus rankNimbostratus
      Mar 27, 2017

      We are trying to do the same, have multiple Service Providers use F5 as IdP, but have each SP app have it's own AD group associated with it and only allow users to access apps they are AD group members of. We use SP initiated authentication. Is this possible?

       

  • travis99_94012's avatar
    travis99_94012
    Icon for Cirrus rankCirrus
    Oct 17, 2013

    You shouldn't need rewrite on a SAML only virtual, just the access profile. The cool thing you can do though is setup a rewrite portal on another virtual, have your users login there and give them SAML resources, internal resources via links, Citrix (if you have it), SSL VPN (if you want to use it), View (again, if you have it), etc. Then they're logging in once and getting access to their resources.

     

  • kj07208_118528's avatar
    kj07208_118528
    Icon for Cirrus rankCirrus
    Oct 17, 2013

    Thanks Travis that actually worked :) I should have continue going down the route of setting up a rewrite profile and a webtop. The problem was I thought the webtop would take me to a webtop portal page. It's hard to figure out how all the parts come together because of all of the loosely connected pieces. On to SharePoint integration now!

     

  • travis99_94012's avatar
    travis99_94012
    Icon for Cirrus rankCirrus
    Oct 17, 2013

    Yes, you can have multiple IdPs setup for one virtual server. We have 3 right now. In the access policy, after authentication, I have one webtop and the 3 SAML resources. Works just fine SP initiated.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 17, 2013

    Generally speaking you might have multiple IdPs in an IdP-initiated config. In your case though you should be able to bind all of the SP connectors to the same IdP and have a single SSO object.