Forum Discussion

AlexS_yb's avatar
AlexS_yb
Icon for Cirrocumulus rankCirrocumulus
Apr 24, 2021

BIGIP how to handle multiple IDP each with multiple external SP

Hi

 

So lets say on prem I have a MS AD domain and also a LDAP DB with different usernames/password

idp-msad

idp-ldap

 

uri might be

/idp/idp-msad

/idp/idp-ldap

 

 

and I have a few SP - say SAAS-A and SAAS-b and SAAS-c & SAAS-d

 

 

now I want to auth MS AD user to SAAS-a & SAAS-b

and LDAP DB to SAAS-c & SAAS-d

 

 

I would like to do this through 1 VS, saml.example.com

 

So I don't think i can do this as the landing uri is

/saml/idp/profile/redirectorpost/sso

 

 

can I instead make the landing page

/idp/idp-msad

when i have done that - it auths and fails - as nothing is behind /idp/idp-msad, but I just thought, maybe I need to then redirect to /saml/idp/profile/redirectorpost/sso with the same parameters.

 

that way I can setup my Access profile to that for landing url of /idp/idp-msad I can do the right tests, ie logon via ms ad

But how do I test weather its SAAS-a or SAAS-b

 

same with

/saml/idp/profile/redirectorpost/sso

 

who do i know who called it ? SAAS-a or b or c or d ?

 

Then once I have that going, how do i integrate into multidomain SSO

i have login location of auth.example.com

when i set the apm for saml.exmaple.com to global multidomain and SSO liked to auth.example.com it never triggers the SAML assign resource ..

 

I guess I could move to pre request and look at the uri and then do a test, but again for which SAAS..

 

 

I don't think it possible with the f5, sigh

 

 

 

 

4 Replies

  • Hi Alex,

     

    Normally this behaviour is configured using the Entity ID and ACS (Assertion Consumer Service) under the External SP Connector (Access  ››  Federation : SAML Identity Provider : External SP Connectors). By linking (binding) up the SP connectors with the relevant Local IdP service, you can select if you want to use the AD or the LDAP config.

     

    The SP (in your case SAAS-a, SAAS-b etc) will send their unique identifier across to the F5, which will then select the correct SP to use, based on the Entity ID and ACS, and then select the correct IdP config based on its bindings and it should be working! With this, you don't have to worry about multiple domain names or VSes for the selection process. Large scale services use the same trick to identify who's database they need to query when auth requests come in.

     

    Hope this helps.

  • Hi

     

    I get it can be done and lots of post says yes can be done, and links on the docs saying yeah it can be done.

     

    but no actual this is how to do it. the training course / video are based on single instances with out multi dom sso turned on.

     

    say i have auth.exmaple.com as my multi domain landing uri and I attach my saml id here.

     

    so I go to proofpoint and it send me to auth.example.com .

     

    if i have a session already then the apm will not fire - per session so it will not re assert it selfs

    if I don't have one then I log the person in - but how do I tell which saml its based upon and also I have to realise its a saml request by the fact of the landing uri ...

     

    Thinking about this I think i have to start to look at pre request apm and make decisions based there.

     

    so how do I find the SP Entity ID in apm or do i need to do it in an irule or ?

     

     

     

     

     

     

     

     

     

     

    • AlexBCT's avatar
      AlexBCT
      Icon for Cumulonimbus rankCumulonimbus

      Here are a couple of tools that I often use for SAML configs, to help you decode the information that goes between the SP and the IdP;

       

      I'd start with the SAML tracer, run it once in your browser while you go through the login process, and see the SAML messages from SP to IdP, and back again, and dissect them from there to find the information you need.

       

      It's indeed often a puzzle to see how everything fits together and can take some time to set it up, but as long as you like puzzles, you should be fine... ;)

       

       

      • AlexS_yb's avatar
        AlexS_yb
        Icon for Cirrocumulus rankCirrocumulus

        Thanks all very helpful

         

        Parked the project for a few weeks - putting in PO.. will play again once I get hold of hardware