For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chris_Phillips2's avatar
Chris_Phillips2
Icon for Nimbostratus rankNimbostratus
Apr 23, 2010

So, What about SAML2 and attribute release?

Been using F5's since the early 2000's and am in the identity side of the house, specifically around SAML2 and Federation aspects. While I understand that the APM cannot perform federation elements, I'm interested in understanding how attributes about an identity are passed to the downstream resources. We use a number of reverse proxy techniques now that populate HTTP headers with attributes and am wondering if that is the same thing that APM will do. Anyone care to comment? Thanks! Chris.
app sec
BIG-IP Access Policy Manager (APM)
security

7 Replies

  • N_65943's avatar
    N_65943
    Icon for Nimbostratus rankNimbostratus
    Apr 29, 2010
    I am also looking for something similar.

     

     

    Using LTM/APM/ASM as a secure reverse proxy and interested about Federation Services, which I know isn't there.

     

     

    The main requirement is to "collapse" infrastructure and use APM as the central point of authenticaton.

     

     

    As a side note - also looking for ideas about authenticating where XML is required to call the back end authentication services.

     

     

    I heard 10.2 will have new XML features...

     

     

  • Chris_Phillips2's avatar
    Chris_Phillips2
    Icon for Nimbostratus rankNimbostratus
    May 07, 2010
    Sorry 'N', I agree, no response either.

     

    Collapsing down to just APM from my perspective is a bit short sighted as there is a lot more involved in dealing with attribute release (e.g. retrieve them over an XML SAML2 response.

     

     

    It would kick ass if the APM environment could respond to downstream services requests either through stuffing attributes in the header OR responding to SAML2 requests for attributes for an approved APM session.

     

     

    It seems like a half solution to just use APM so far.

     

  • AndyO_5024's avatar
    AndyO_5024
    Historic F5 Account
    Jul 08, 2010
    Hey guys... SAML2 is definitely interesting... can you guys elaborate on the use cases for SAML2?

     

     

    For example, on the "service provider" side and/or "identity provider" side (as defined by the SAML guys...)

     

     

    Thanks,

     

     

    Andy
  • Minn_62043's avatar
    Minn_62043
    Icon for Cirrostratus rankCirrostratus
    Aug 06, 2010
    I couldn't find the support for SAML in the manual. [http://bit.ly/cCrysN]. It does have support for HTTP Authentication methods (Basic, NTLM, Form-based] and "Oracle Access Manager".
  • Juerg_Wiesmann's avatar
    Juerg_Wiesmann
    Icon for Nimbostratus rankNimbostratus
    Aug 19, 2010
    Hi Chris,

     

     

    Just got this Post. So I might be a bit late to answer.

     

    No SAML is not on the supported feature list right now. Even I found a lot of need to support Federations. We see this more and more important. Insurance Companys for instance sell there Contracts through Agents. These Agents are selling different Solutions from different Insurance Companys. Thats why they built a "Organisation of Interest" called igB2B www.igb2b.ch to handle this interface. Sorry the Website is not in English.This organisation will also act as an IDP.

     

    The more I think about this I think we might be able to read out SAML Tokens from the IDP and use the information out of it to allow / disallow access to objects or applications.

     

    Would maybee need an iRule and APM aproach.

     

    Kind Regards

     

    Wiesmann