For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Greg_130338's avatar
Greg_130338
Icon for Nimbostratus rankNimbostratus
Jan 03, 2014

SAML SP post binding to IdP

Hey all, I am currently investigating the capabilities of integrating the BigIP as an SP with an external IdP (shibboleth). I am providing a login page on the BigIP with an access policy that falls back to a SAML auth which I already have the binding in place for. It seems I should be able to post the credentials from the login page the external IdP. Is there anything special I need to do to accomplished this outside of what I have described? Is the SAML auth in the access policy taking the username and password from the logins session and attempting to post them to the IdP automatically or do I need to specify that? First timer with SAML here. Any help is appreciated.

 

-GR

 

saml

4 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jan 03, 2014

    Generally speaking, it is the IdP that challenges the user for credentials and the SP consumes a trusted assertion from that IdP. The SP wouldn't challenge the user for credentials. So in the barest form, your APM SP would be in front of the app, and the Shibboleth IdP would be a physically separate entity that the client contacts. Now, technically speaking, if the Shibboleth service was also behind an APM VIP, that would more likely just be an SSO configuration where a logon page collects credentials, maybe does some pre-validation, POSTs those credentials to the Shibboleth logon page, and lets the SAML from Shibbloeth pass through. But arguably, if you're putting the IdP behind an APM VIP, why not just let APM be the IdP and save yourself the trouble of maintaining another app service.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jan 03, 2014

    So in my APM policy I would remove the login page and make the SAML auth the first item in my policy then?

     

    Yes. The SP will send the client a physical redirect (via 302 or auto-posted form) to the IdP for authentication. You could potentially subvert that redirect and force the client back to an APM VIP, and then POST those credentials to a remote IdP, but it would not be a trivial configuration.

     

  • Greg_130338's avatar
    Greg_130338
    Icon for Nimbostratus rankNimbostratus
    Jan 03, 2014
    OK so we got the SAML authentication to work. The IdP is supposed to be sending a number of different assertions in the token once authenticated. Are these supposed to visible in the session variables so I can access and use them to authorize different users/groups for different resources? I'm not sure where to access and use these additional attributes. Basically I've been able to authenticate an external user and give them a web top with a link just as a proof of concept.
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jan 04, 2014

    Are these supposed to visible in the session variables so I can access and use them to authorize different users/groups for different resources?

     

    If the APM SP is successfully consuming the IdP's assertion, then an access session will be established for the user that will contain, among many other values, the assertion attributes. To verify, perform a successful authentication and then run a report in APM to show the session variables of this latest test. You should see a whole section of session.saml.* variables. You can then use these values to make additional decisions in your visual policy.