tcl logic in SAML Attribute value field possible?
Hi. We're running BigIP as a SAML IDP. Can I somehow issue tcl logic in a SAML attributes? I'm talking about the Access ›› Federation : SAML Identity Provider : Local IdP Services, editing an object, under SAML Attributes. Based on what's in the memberOf attribute, I need to issue as a value either empty string or "SpecificValue". I am familiar with the %{session.variable} construct, but I don't want to clutter the session with more variables if I can avoid it, as that impacts all sessions using our IDP (30 or so federated services on the same VIP and AP). I tried these two approches: %{ set result {} ; if { [mcget {session.ad.last.attr.memberOf}] contains {| CN=SpecificGroup,OU=Resource groups,OU=Groups,DC=Domain,DC=com |}} { set result {SpecificValue} } ; return $result } expr { set result {} ; if { [mcget {session.ad.last.attr.memberOf}] contains {| CN=SpecificGroup,OU=Resource groups,OU=Groups,DC=Domain,DC=com |}} { set result {SpecificValue} } ; return $result } Expected result: An issued claim with the value "" or "SpecificValue" Actual result: An issued claim with the above code as the value As I mentioned, we've set it up using one VIP that is hosting 30 or so services. We're running 16.1.3.1. They are using the same SSO configuration and there's an iRule triggerd at ACCESS_POLICY_AGENT_EVENT, which does some magic to extract issuer and suchlike, and that helps to make decisions later in the Access Policy. It also populates a few session variables under the session.custom namespace for use in the Access Policy. Additional session variables are being populated in the Access Policy, such as resolved manager and their email address. I have looked briefly at the ASSERT::saml functions, but even if it would be possible to manipulate that way, I wish to keep this set up as stream lined as possible and with as few new "special cases" in an iRule. So while I appreciate pointers along that route as well, I would first of all like to know if there is a way to do it natively in the SAML attribute value field. And if there are any options I have not yet explored here?APM Cookbook: SAML IdP Chaining
As an APM subject mater expert at F5 I often find myself in situations where a customer or colleague needs an example of a particular configuration. While most of these requests are easily handled with a call or WebEx I'm a firm believer in sharing knowledge through documentation.. and I don't like getting calls at 3 AM. If you're like me you grew up with the O'Reilly Cookbook series which served as a great reference document for various development or server configuration tasks. My goal is to create a similar reference resource here on DevCentral for those one-off scenarios where a visual example may help your complete your task. For the first APM Cookbook series I'll discuss SAML IdP chaining. Overview Security Assertion Markup Language, more commonly known as SAML, is a popular federated authentication method that provides web based single sign-on. One of the key security advantages to SAML is the reduction in username/password combinations that a user has remember... or in my experience as a security engineer the number of passwords written on a post-it note stuck to their monitor. There are two major services in a SAML environment: IdP - Identity Provider SP - Service Provider The identity provider is the SAML service that authenticates the user and passes an assertion to then service providers proving the user's identity. F5's APM performs both IdP and SP services and allows customers to easily deploy federated authentication in their environment. In more complex scenarios you may run across a requirement where multiple SAML IdPs need to be chained together. This comes up from time to time when customers have contractors that utilize federated authentication for authorization to corporate resources. Example For our configuration we have the Globex Corporation that uses APM to authenticate uses to Office 365. Globex hire contractors from Acme Corp. who authenticate using the Acme Corp. ADFS environment. However, since Office 365 is configured to authenticate against the Globex APM we need to convert the Acme Corp. SAML assertion into a Globex SAML assertion, which is known as IdP chaining. The step ladder for this process is shown below: 1. User requests https://outlook.com/globex.com 2 - 3. Office 365 redirects user to idp.globex.com 3 - 4. idp.globex.com determines user is a contractor and redirect user to sts.acme.com 5 - 8. User authenticates using Acme credentials and is then redirect back to idp.globex.com 9. idp.globex.com consumes the Acme SAML assertion and creates a Globex SAML assertion 10. User is redirected back to Office 365 11 - 12. Office 365 consumes the Globex SAML assertion and displays the user's mail Configuration To configure your APM SAML IdP to accept incoming assertion from sts.acme.com we need to create an external SP connector. Under the Access Policy -> SAML -> BIG-IP as SP configuration section: 1. Create a new SAML SP Service 2. Export the SP metadata and configure sts.acme.com accordingly (follow your IdP vendor's documentation) 3. Click the External IdP Connectors menu at the top 4. Click the dropdown arrow on the create button and choose From Metadata (import the metadata from sts.acme.com) 5. Bind the Local SP service to the external IdP connector Now that idp.globex.com and sts.acme.com are configured to trust one another we need to configure the APM IdP to consume the sts.acme.com SAML assertion. The IdP's Visual Policy Editor should look similar to the image below: 1. The Decision Box asks the user what company they're with. This is a simple example but more elaborate home realm discovery techniques can be used. 2. The SAML Auth box is configured to consume the sts.acme.com assertion 3. Since we no longer have a login form on the IdP we need to set a few APM session variables: session.logon.last.username = Session Variable session.saml.last.identity session.logon.last.logonname = Session Variable session.saml.last.identity 4. Create an Advanced Resource Assign that matches your existing IdP Advance Resource Assign. Conclusion This particular post was a little longwinded due to the steps required but overall is a fairly simple configuration. So the next time someone asks if your F5 can do IdP chaining you can confidently reply "Yes and I know how to do that".
APM with EntraID as idP / request signed
Hi experts. I need your help to solve an issue. I'm configuring a new enviroment with BIG-IP version 15.1.8.2 Build 0.0.17 Point Release 2. I have the APM works fine with SSO using EntraID (AzureAD) as idP. Now, I need to enable the request signed (Enforce signed SAML authentication requests - Microsoft Entra ID | Microsoft Learn). I generated the self signed certificate and import it on my app at Azure and my BIG-IP. I changed my config in Access > Federation > SAML Identity Provider and assigned my self signed certificate (pk included) to assign the request. But, I've received the below error by EntraID: Sign-in error code: 76021 Failure reason: The request sent by client is not signed while the application requires signed requests All attemps was made by browser (SSL VPN). Thank you.
SaaS Federation iApp
Problem this snippet solves: f5.saas_idp.v.1.0.1rc1 The official release candidate iApp template has been posted to downloads.f5.com in the RELEASE_CANDIDATE directory of the iApp package. This release has the following changes: Added support for BIG-IP v12.1 Modified the 'SP Initiated?' field in the iApp to 'IdP Initiated?' and the values to 'No, SP only' and 'Yes, IdP and SP' to make this section more clear. f5.saas_idp.v.1.0.0rc1 This release candidate version of the iApp template, released on 4/20/16, provides improved functionality and additional options. The deployment guide has also been substantially updated. f5.saas_idp.v.0.9.0 This iApp allows you to configure F5 BIG-IP Access Policy Manager(APM) as SAML Identity Provider(IdP) to 11 commonly used SaaS applications: Office 365 Salesforce.com Workday Amazon Web Services(limited support) Concur Service-Now Jive Wombat Zendesk WebEx Google Apps How to use this snippet: For information on how to download, install, and use the iApp (and various other prerequisites), see the deployment guide for this configuration: http://f5.com/pdf/deployment-guides/saml-idp-saas-dg.pdf Code : https://downloads.f5.com/esd/product.jsp?sw=BIG-IP&pro=iApp_TemplatesSAML issue with SimpleSAMLphp as IdP, BIG-IP as SP
have been trying to get SAML working, simpleSAMLphp as IdP and BIG-IP as SP. i believe it works up to the point where the IdP sends its auth succesfull data to the SP, once recieved by the SP i get this error: SAML Agent: /Common/saml_act_saml_auth_ag failed to parse assertion, error: Canonicalization of SignedInfo not sure how to continue from there, so many options and so little information on their exact effect. i built the setup as follows, virtual server with access profile with just start --> SAML auth --> Allow, BIGIP as SP profile with an IdP connection based on uri /, created IdP connection based on metadata from IdP. turned off as many signed and secure options as possible, just testing now, will add later on. anyone here that has setup BIG-IP as SP succesfully with SimpleSAMLphp? can you share some experience?
F5 APM Single IdP for Multiple SP's (Redirect External VIP to Internal VS's)
Hey there F5 community, I've been trying to wrap my head around this one to see if it is possible, and may be looking at this under the wrong light... We are trying to setup an environment such as idp.domain.com (Externally Available) and be able to route to internal only VIP's/Virtual Servers from it and utilize the Access Policy that resides on whatever virtual server it is redirected to, and handle SAML 2.0 communication policy's from there. We've created internal only VIP's and VS's for each separate SAML service policy and SP Connectors. We have successfully got them working independently when those VIPs were externally available. However we are looking to consolidate and have a single entry point for SP Initiated Connections, then redirect to the Virtual Server bound for each separate SP, and utilize the policy attached to the internal only VS's. I've attempted a few different iRule's that I have seen listed on the board here with very similar requests, but no luck yet. I am unable to bypass the initial policy of idp.domain.com and redirect to the internal only VS. Example: SP Initiated to DNS Pointing app1.domain.com to same External VIP as idp.domain.com app1.corp.domain.com name of Internal VS with Policy, Bound with SP Connector and has own APM Policy when HTTP_REQUEST { switch [string tolower [HTTP::host]] { "app1.domain.com" { virtual app1.corp.domain.com } "app2.domain.com" { virtual app2.corp.domain.com } } } Since it is landing on the External Available VIP for VS idp.domain.com, it is trying to process that policy without redirecting to the true end point VS of app1.corp.domain.com I'm not sure if idp.domain.com needs to have no policy constraints, or if something perhaps in the swap host syntax that doesn't like the "app1.domain.com" { virtual app1.corp.domain.com } Periods in the actual Virtual Server name or something of that sort. Most time I've seen any VS referenced, I noticed everyone seems to use underscores, of course this is after we've previously built out separately with actual names. So I'm not sure if that causes syntax issues. By chance does anyone have any recommendations? Thanks!
F5 as IDP & SAML Service Provider with multiple ACS Bindings
Version: 11.5.1 HF7 (LTM + APM) Anyone out there using F5 as IDP with a SAML service provider which contains multiple ACS bindings (please find snippet below)? After import of metadata, I can only find one ACS URI in bigip.conf, so I doubt this may be a feature which is currently not supported continue ... continue ... Highly appreciate any feedback on that topic ThxKeycloak as IDP for F5 APM via SAML
I have a requirement from our customer to do MFA authentication on F5 APM module and use Keycloak as Identity provider to control their access to web application. Since the keycloak is operate by different team, the internal operation team don’t have an authorize to do MFA on keycloak. They will use F5 APM to perform MFA instead. Existing environment. Solution Protect your web application by deploy F5 as web proxy. Configuration Import your SAML metadata to F5 APM Start by login to your keycloak console and downlond SAML metadata Make sure you have right realm selected. Save as you metadata Navigate to External IDP connector Create External IDP connector Upload your Metadata previously downloaded and name your SAML IDP connector Create your web.f5test.com certificate. Navigate to SSL Certificate list console Create your new certificate Configuration your parameter and click finish Create your Local SP Service Navigate to local SP service console Click create new SP service Input name, EntityID and SP name setting Config POST as assertion consumer service binding Configuration security setting with certificate generated earlier and click OK Binding your SP service with IDP connector Select your newly SP service created Add new row and select you IDP connector profile. Import your SP service to Keycloak Export your SP service Create new client on Keycloak Select file downloaded from previous section Click save
