Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

APM as Saml IDP with many SP

Go to solution
igorzhuk
Altostratus
Altostratus

‎10-Mar-2023 14:28

Hi, I have APM as IDP and we have now only 1 SP, [ Its SP initiate SSO]

Now we want added additional SP, I want that in IDP VPE, only users in some groups will allows to auth with specific SP that I Allow on VPE,

Can I use enforce this on the IDP side?

 

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Daniel_Wolf
MVP
MVP

‎12-Mar-2023 04:05

Hi @igorzhuk,

yes, that is possible. You can use one IdP for multiple SPs.  You will just add another trust relationship between your IdP and the second SP. And add the new resource to the resource assign object in the Policy Editor.
Depending on the way your users authenticate against the IdP, you could for example use Active Directory groups for selecting which users will have access to which resource. Or maybe other attributes can be used (user domain if user authentices with mail address, attribute of a client certificate...)

Take a look here: https://techdocs.f5.com/en-us/bigip-16-0-0/big-ip-access-policy-manager-saml-configuration/using-apm...

KR
Daniel

View solution in original post

1 REPLY 1

Go to solution
Daniel_Wolf
MVP
MVP

‎12-Mar-2023 04:05

Hi @igorzhuk,

yes, that is possible. You can use one IdP for multiple SPs.  You will just add another trust relationship between your IdP and the second SP. And add the new resource to the resource assign object in the Policy Editor.
Depending on the way your users authenticate against the IdP, you could for example use Active Directory groups for selecting which users will have access to which resource. Or maybe other attributes can be used (user domain if user authentices with mail address, attribute of a client certificate...)

Take a look here: https://techdocs.f5.com/en-us/bigip-16-0-0/big-ip-access-policy-manager-saml-configuration/using-apm...

KR
Daniel

Copyright © 2023 Khoros, LLC