Forum Discussion

danfraser_21137's avatar
danfraser_21137
Icon for Nimbostratus rankNimbostratus
Jan 15, 2016

Use APM to access a web server (SP) requiring SAML by using a ADFS server (IdP)

Hi,

 

At the moment I have a web server (Service Provider) and a Windows ADFS server (Identity Provider) which allows users on the main network to visit. (Work PC > Webserver > IdP > Webserver > now authenticated)

 

I am now trying to set this up so users can access the web server remotely by using the F5 APM module. One option is that I set the F5 up as an IdP and connect to the SP. However, the web server is a SaaS and cannot be easy changed. For example I cannot change the SP to accept tokens from the F5.

 

So my question is, can I somehow get the F5 to use the Windows ADFS server to assert the tokens on it's behalf. And how can I do this.

 

Thanks for your time.

 

 

  • Hi Danfraser,

     

    figure 3.) would be suitable, if you want to make your internal AD FS securely accessible over the internet (aka. using APM PreAuth with credential delegation).

     

    But additional steps may be required to make your SaaS application accessible over the internet, too (aka. using the same APM PreAuth but without credential delegation).

     

    The combination of both would create a strong protection for both services and would allow the SaaS application to still use AD FS as a authentication provider.

     

    Cheers, Kai

     

  • AN's avatar
    AN
    Icon for Nimbostratus rankNimbostratus

    Hi, I am planning to configure same (ADFS as iDP and F5 APM as SP). I couldn't find any documentation and help on it wonder someone can guide me. I have APM Policy as

    Start -> SAML Auth -> SSO Credentail Mapping -> Allow

                                                Deny
    

    I imported XML file into External Idp Connectors under SAML-> BIG IP as SP

    Local SP Services configured as following General Setting ~~~~~~~~~~~~~~~ Name: F5-SP Entity ID: https://login.example.com SP Name Settings: Scheme: https Host: login.example.com

    Endpoint Settings: ~~~~~~~~~~~~~~~~~ Assertion Consumer SErvice Binding: POST

    Security Settings: Checked "Authentication Request" (certificate and Keys are selected different than ADFS) Checked: Want Signed Assertion Unchecked: Want Encrypted Assertion

    Advanced Setting: Unchecked: Force Authentication Checked: Allow Name-Identifier Creation

    Name-Identifier Policy Format: urn:oasis:names:tc:SANL:1.1:nameid-format:WindowsDomainQual...

    SP Name-Identifier Qualifier: None

    I am getting following error: /frontend/F5-SP:frontend:dbad7144: Executed agent '/frontend/F5-SP_act_saml_auth_ag', return value 3 /frontend/F5-SP:frontend:dbad7144: Session variable 'saml./frontend/F5-SP_act_saml_auth_ag.SAMLRequest' set to 'hhhhhhhhhhhhXXXXXX' /frontend/F5-SP:frontend:dbad7144: SAML Agent: /frontend/F5-SP_act_saml_auth_ag SAML assertion is invalid, error: Assertion status is not successful /frontend/F5-SP:frontend:dbad7144: Executed agent '/frontend/F5-SP_act_saml_auth_ag', return value 0 /frontend/F5-SP:frontend:dbad7144: Following rule 'fallback' from item 'SAML Auth' to ending 'Deny'

  • I'm also trying to implement similar configurations. We host SaaS application for our clients. So we would like to have APM as SP which will communicate with client's IDP (could be anything).