Big-IP Access Policy Manager (APM) Identity Federation SAML Documentation

As enterprise customers start to accelerate their cloud Software-as-a-Service (SaaS) deployments their IT staff is observing increased help desk calls and user password fatigue issues. F5’s Big-IP Access Policy Manager (APM) product can address these requirements through its support for SAML 2.0 federation services like Identity Provider (IdP) for popular SaaS services such as Office 365, Salesforce etc. Big-IP APM supports both Service Provider (SP)-initiated and IdP-initiated deployments for identity federation to SaaS services as illustrated below

IdP Initiated SAML



  1. User logs on to the Big-IP APM IdP and is directed to the webtop
  2. User selects a Salesforce service from the webtop.
  3. Big-IP APM may retrieve attributes from the user data store to pass on to the SaaS service provider.
  4. Big-IP APM directs the requests to the SaaS service with the SAML assertion and optional attributes via the user browser.




  1. User accesses Salesforce SaaS service.
  2. Salesforce redirects the user back to the Big-IP APM SAML IdP with SAML request via the user's browser.
  3. Big-IP APM prompts the user to logon with the relevant credentials.
  4. At this time Big-IP APM may retrieve attributes from the user data store to pass on with the SaaS service provider (SP).
  5. Big-IP APM then sends a SAML response to Salesforce with the authentication information and optional attributes via the user's browser for allowing access to the service.



Over the years F5 has been extending its support for identity federation including support for SAML 2.0 OASIS standard features and publishing collateral for administrators to easily deploy Big-IP APM IdP services. Below is a consolidated list of documentation which includes the deployment guides to federate against the following SaaS services 

  1. Office 365
  2.  Salesforce
  3.  Workday
  4.  Amazon Web Services
  5.  Concur 
  6.  Service Now
  7.  Jive
  8.  Wombat
  9.  Zendesk
  10. Cisco Webex
  11. Box
  12. Google Apps


The deployment guides mentioned below provide details on setting up the following Big-IP APM objects for above mentioned SaaS applications

  • Profiles, AAA server and Virtual Server
  • IdP Configuration
  • SP Connector Configuration 
  • Access Policy Setup using Visual Policy Editor
  • iApps to setup the above configuration is also available in the guide*

The deployment guides also have pointers on configuring SaaS SP services based on the SaaS provider documentation. 

While these deployment guides are provided as a quick reference for configuring the above mentioned SaaS applications, Big-IP APM can be used to setup almost any other SaaS applications that support SAML 2.0 OASIS standard.

Deployment Guides

Please add comments below should you have any feedback for this documentation or need other APM related documentation. 

* Production version of APM IdP to Office 365 iApp is available in the Office 365 guide.  Beta version of iApp for all other SaaS applications is available here (production version will be released soon)



Published Jan 19, 2016
Version 1.0

Was this article helpful?

No CommentsBe the first to comment