Forum Discussion

igorzhuk's avatar
igorzhuk
Icon for Altostratus rankAltostratus
Mar 10, 2023
Solved

APM as Saml IDP with many SP

Hi, I have APM as IDP and we have now only 1 SP, [ Its SP initiate SSO] Now we want added additional SP, I want that in IDP VPE, only users in some groups will allows to auth with specific SP that I...
APM Saml IDP SP
application delivery
security
  • Daniel_Wolf's avatar
    Daniel_Wolf
    Mar 12, 2023

    Hi igorzhuk,

    yes, that is possible. You can use one IdP for multiple SPs.  You will just add another trust relationship between your IdP and the second SP. And add the new resource to the resource assign object in the Policy Editor.
    Depending on the way your users authenticate against the IdP, you could for example use Active Directory groups for selecting which users will have access to which resource. Or maybe other attributes can be used (user domain if user authentices with mail address, attribute of a client certificate...)

    Take a look here: https://techdocs.f5.com/en-us/bigip-16-0-0/big-ip-access-policy-manager-saml-configuration/using-apm-as-a-saml-idp-no-sso-portal.html

    KR
    Daniel

Daniel_Wolf's avatar
Daniel_Wolf
Icon for MVP rankMVP
Mar 12, 2023

Hi igorzhuk,

yes, that is possible. You can use one IdP for multiple SPs.  You will just add another trust relationship between your IdP and the second SP. And add the new resource to the resource assign object in the Policy Editor.
Depending on the way your users authenticate against the IdP, you could for example use Active Directory groups for selecting which users will have access to which resource. Or maybe other attributes can be used (user domain if user authentices with mail address, attribute of a client certificate...)

Take a look here: https://techdocs.f5.com/en-us/bigip-16-0-0/big-ip-access-policy-manager-saml-configuration/using-apm-as-a-saml-idp-no-sso-portal.html

KR
Daniel