Configuration Example: BIG-IP APM as SAML IdP for Amazon Web Services

Useful links Creating Temporary Security Credentials for SAML Federation - AWS Security Token Service Giving Console Access Using SAML - AWS Security Token Service AWS Metadata File For more i...
Published Oct 02, 2015
Version 1.0
AWS
BIG-IP Access Policy Manager (APM)
cloud
security
sseery's avatar
sseery
Icon for Nimbostratus rankNimbostratus
Mar 22, 2019

I used this document to deploy a SAML configuration with AWS GovCloud; it generally worked well with a few modifications:

 

  1. You have to import the GovCloud metadata otherwise when the SAML assertion is sent AWS will report that the Identity Provider or Role does not exist.
  2. No matter which method is used in determining the role to be assigned, the statements "arn:aws:iam" must be replaced with "arn:aws-gov-us:iam" or again, AWS will report that the Role does not exist.

  3. I originally attempted to use "Assign AWS Roles (Advanced+)" method provided by Jacob Newfield above and it worked well right up to the part where the multi-value SAML assertions was to be generated. Instead of sending:

     

    https://aws.amazon.com/SAML/Attributes/Role"; NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" > A B C

     

The following SAML code would be sent:

 


    
| A | B | C |

 

If you've not guessed by now, AWS reports a Role not found error here as well. I ended up munging Advanced and Advanced+ which will be henceforth known as 'Advanced-Hybrid" because I think that using a session variable in the SAML Attribute section is cleaner. TIMTOWTDI.

 

Ultimately I'd love to see the MV SAML assertion method work because I think that we may eventually need multi-role users. We will see if F5 support can assist with why the conversion is not taking place.

 

Sean