We are trying to use the Big IP system as a SAML service provider and PingFederate as a SAML Identity Provider. Is it possible to create an access policy which allows/denies user to access a particular protected resource based on user atrributes or groups using F5 Big IP APM?
First of would you check authorization on IDP or SP? The best practice is to check authorization on SP side, the IDP will return attribute to SP then SP will manage authorization.
I don’t think you understood the question. I want to implement the attribute-based authorization on the SP side which is the F5 APM and not on the protected application. For example, if there are two resources abc.html and def.html, where abc.html can only be accessed by the directors and def.html can be accessed by developers. Can we implement this kind of access control using F5 Big-IP APM? If so, could you please point me towards the related document?
You don't have a specific documentation for your need. In fact you have to use a generic access policy for authentication and LDAP query in order to retrieve needed attribute.
Then you can use an per-request-policy in order to restrict URL access by LDAP/AD GRP or other.
I alread implement this need for an custoer and I use Datagroup in order to set right:
grp_A /uri1
grp_B /uri2
grp_C /uri3
try to implent an per-request-policy... if you encouter a problem keep me in touch.
