As enterprise customers start to accelerate their cloud Software-as-a-Service (SaaS) deployments their IT staff is observing increased help desk calls and user password fatigue issues. F5’s Big-IP Access Policy Manager (APM) product can address these requirements through its support for SAML 2.0 federation services like Identity Provider (IdP) for popular SaaS services such as Office 365, Salesforce etc. Big-IP APM supports both Service Provider (SP)-initiated and IdP-initiated deployments for identity federation to SaaS services as illustrated below
User logs on to the Big-IP APM IdP and is directed to the webtop
User selects a Salesforce service from the webtop.
Big-IP APM may retrieve attributes from the user data store to pass on to the SaaS service provider.
Big-IP APM directs the requests to the SaaS service with the SAML assertion and optional attributes via the user browser.
User accesses Salesforce SaaS service.
Salesforce redirects the user back to the Big-IP APM SAML IdP with SAML request via the user's browser.
Big-IP APM prompts the user to logon with the relevant credentials.
At this time Big-IP APM may retrieve attributes from the user data store to pass on with the SaaS service provider (SP).
Big-IP APM then sends a SAML response to Salesforce with the authentication information and optional attributes via the user's browser for allowing access to the service.
Over the years F5 has been extending its support for identity federation including support for SAML 2.0 OASIS standard features and publishing collateral for administrators to easily deploy Big-IP APM IdP services. Below is a consolidated list of documentation which includes the deployment guides to federate against the following SaaS services
Amazon Web Services
The deployment guides mentioned below provide details on setting up the following Big-IP APM objects for above mentioned SaaS applications
Profiles, AAA server and Virtual Server
SP Connector Configuration
Access Policy Setup using Visual Policy Editor
iApps to setup the above configuration is also available in the guide*
The deployment guides also have pointers on configuring SaaS SP services based on the SaaS provider documentation.
While these deployment guides are provided as a quick reference for configuring the above mentioned SaaS applications, Big-IP APM can be used to setup almost any other SaaS applications that support SAML 2.0 OASIS standard.
Please add comments below should you have any feedback for this documentation or need other APM related documentation.
* Production version of APM IdP to Office 365 iApp is available in the Office 365 guide. Beta version of iApp for all other SaaS applications is available here (production version will be released soon)