APM with EntraID as idP / request signed
Hi experts. I need your help to solve an issue. I'm configuring a new enviroment with BIG-IP version 15.1.8.2 Build 0.0.17 Point Release 2. I have the APM works fine with SSO using EntraID (AzureAD) as idP. Now, I need to enable the request signed (Enforce signed SAML authentication requests - Microsoft Entra ID | Microsoft Learn). I generated the self signed certificate and import it on my app at Azure and my BIG-IP. I changed my config in Access > Federation > SAML Identity Provider and assigned my self signed certificate (pk included) to assign the request. But, I've received the below error by EntraID: Sign-in error code: 76021 Failure reason: The request sent by client is not signed while the application requires signed requests All attemps was made by browser (SSL VPN). Thank you.
SaaS Federation iApp
Problem this snippet solves: f5.saas_idp.v.1.0.1rc1 The official release candidate iApp template has been posted to downloads.f5.com in the RELEASE_CANDIDATE directory of the iApp package. This release has the following changes: Added support for BIG-IP v12.1 Modified the 'SP Initiated?' field in the iApp to 'IdP Initiated?' and the values to 'No, SP only' and 'Yes, IdP and SP' to make this section more clear. f5.saas_idp.v.1.0.0rc1 This release candidate version of the iApp template, released on 4/20/16, provides improved functionality and additional options. The deployment guide has also been substantially updated. f5.saas_idp.v.0.9.0 This iApp allows you to configure F5 BIG-IP Access Policy Manager(APM) as SAML Identity Provider(IdP) to 11 commonly used SaaS applications: Office 365 Salesforce.com Workday Amazon Web Services(limited support) Concur Service-Now Jive Wombat Zendesk WebEx Google Apps How to use this snippet: For information on how to download, install, and use the iApp (and various other prerequisites), see the deployment guide for this configuration: http://f5.com/pdf/deployment-guides/saml-idp-saas-dg.pdf Code : https://downloads.f5.com/esd/product.jsp?sw=BIG-IP&pro=iApp_Templates
SAML issue with SimpleSAMLphp as IdP, BIG-IP as SP
have been trying to get SAML working, simpleSAMLphp as IdP and BIG-IP as SP. i believe it works up to the point where the IdP sends its auth succesfull data to the SP, once recieved by the SP i get this error: SAML Agent: /Common/saml_act_saml_auth_ag failed to parse assertion, error: Canonicalization of SignedInfo not sure how to continue from there, so many options and so little information on their exact effect. i built the setup as follows, virtual server with access profile with just start --> SAML auth --> Allow, BIGIP as SP profile with an IdP connection based on uri /, created IdP connection based on metadata from IdP. turned off as many signed and secure options as possible, just testing now, will add later on. anyone here that has setup BIG-IP as SP succesfully with SimpleSAMLphp? can you share some experience?
F5 APM Single IdP for Multiple SP's (Redirect External VIP to Internal VS's)
Hey there F5 community, I've been trying to wrap my head around this one to see if it is possible, and may be looking at this under the wrong light... We are trying to setup an environment such as idp.domain.com (Externally Available) and be able to route to internal only VIP's/Virtual Servers from it and utilize the Access Policy that resides on whatever virtual server it is redirected to, and handle SAML 2.0 communication policy's from there. We've created internal only VIP's and VS's for each separate SAML service policy and SP Connectors. We have successfully got them working independently when those VIPs were externally available. However we are looking to consolidate and have a single entry point for SP Initiated Connections, then redirect to the Virtual Server bound for each separate SP, and utilize the policy attached to the internal only VS's. I've attempted a few different iRule's that I have seen listed on the board here with very similar requests, but no luck yet. I am unable to bypass the initial policy of idp.domain.com and redirect to the internal only VS. Example: SP Initiated to DNS Pointing app1.domain.com to same External VIP as idp.domain.com app1.corp.domain.com name of Internal VS with Policy, Bound with SP Connector and has own APM Policy when HTTP_REQUEST { switch [string tolower [HTTP::host]] { "app1.domain.com" { virtual app1.corp.domain.com } "app2.domain.com" { virtual app2.corp.domain.com } } } Since it is landing on the External Available VIP for VS idp.domain.com, it is trying to process that policy without redirecting to the true end point VS of app1.corp.domain.com I'm not sure if idp.domain.com needs to have no policy constraints, or if something perhaps in the swap host syntax that doesn't like the "app1.domain.com" { virtual app1.corp.domain.com } Periods in the actual Virtual Server name or something of that sort. Most time I've seen any VS referenced, I noticed everyone seems to use underscores, of course this is after we've previously built out separately with actual names. So I'm not sure if that causes syntax issues. By chance does anyone have any recommendations? Thanks!
F5 as IDP & SAML Service Provider with multiple ACS Bindings
Version: 11.5.1 HF7 (LTM + APM) Anyone out there using F5 as IDP with a SAML service provider which contains multiple ACS bindings (please find snippet below)? After import of metadata, I can only find one ACS URI in bigip.conf, so I doubt this may be a feature which is currently not supported continue ... continue ... Highly appreciate any feedback on that topic Thx
tcl logic in SAML Attribute value field possible?
Hi. We're running BigIP as a SAML IDP. Can I somehow issue tcl logic in a SAML attributes? I'm talking about the Access ›› Federation : SAML Identity Provider : Local IdP Services, editing an object, under SAML Attributes. Based on what's in the memberOf attribute, I need to issue as a value either empty string or "SpecificValue". I am familiar with the %{session.variable} construct, but I don't want to clutter the session with more variables if I can avoid it, as that impacts all sessions using our IDP (30 or so federated services on the same VIP and AP). I tried these two approches: %{ set result {} ; if { [mcget {session.ad.last.attr.memberOf}] contains {| CN=SpecificGroup,OU=Resource groups,OU=Groups,DC=Domain,DC=com |}} { set result {SpecificValue} } ; return $result } expr { set result {} ; if { [mcget {session.ad.last.attr.memberOf}] contains {| CN=SpecificGroup,OU=Resource groups,OU=Groups,DC=Domain,DC=com |}} { set result {SpecificValue} } ; return $result } Expected result: An issued claim with the value "" or "SpecificValue" Actual result: An issued claim with the above code as the value As I mentioned, we've set it up using one VIP that is hosting 30 or so services. We're running 16.1.3.1. They are using the same SSO configuration and there's an iRule triggerd at ACCESS_POLICY_AGENT_EVENT, which does some magic to extract issuer and suchlike, and that helps to make decisions later in the Access Policy. It also populates a few session variables under the session.custom namespace for use in the Access Policy. Additional session variables are being populated in the Access Policy, such as resolved manager and their email address. I have looked briefly at the ASSERT::saml functions, but even if it would bepossible to manipulate that way, I wish to keep this set up as stream lined as possible and with as few new "special cases" in an iRule. So while I appreciate pointers along that route as well, I would first of all like to know if there is a way to do it natively in the SAML attribute value field. And if there are any options I have not yet explored here?Keycloak as IDP for F5 APM via SAML
I have a requirement from our customer to do MFA authentication on F5 APM module and use Keycloak as Identity provider to control their access to web application. Since the keycloak is operate by different team, the internal operation team don’t have an authorize to do MFA on keycloak. They will use F5 APM to perform MFA instead. Existing environment. Solution Protect your web application by deploy F5 as web proxy. Configuration Import your SAML metadata to F5 APM Start by login to your keycloak console and downlond SAML metadata Make sure you have right realm selected. Save as you metadata Navigate to External IDP connector Create External IDP connector Upload your Metadata previously downloaded and name your SAML IDP connector Create your web.f5test.com certificate. Navigate to SSL Certificate list console Create your new certificate Configuration your parameter and click finish Create your Local SP Service Navigate to local SP service console Click create new SP service Input name, EntityID and SP name setting Config POST as assertion consumer service binding Configuration security setting with certificate generated earlier and click OK Binding your SP service with IDP connector Select your newly SP service created Add new row and select you IDP connector profile. Import your SP service to Keycloak Export your SP service Create new client on Keycloak Select file downloaded from previous section Click saveHow to customise Azure AD OIDC user ID token for APM integration
Overview A Service Provider (SP) such as the F5 APM can integrate with Azure AD (AAD) as an Identity Provider (IDP) for federated authentication using OpenID Connect (OIDC). Through this process, a user visiting APM (e.g., https://myapps.acme.corp ) is immediately redirected to AAD for authentication, once authenticated, AAD returns a code to the APM via the user browser. The APM grabs that code, adds additional information, sends them together to AAD, and finally receives an ‘access_token’ and ‘id_token’. This article takes a special focus around what is included in ‘id_token’ that AAD returns, as it is used by APM, and broadly speaking by any relying party SP, for the purpose of session creation. ‘id_token’ (part of OIDC) contains user identity information and is highly customizable. The customization of ‘id_token’ is completely done within AAD. The concept is simple, but not until it is well understood in my experience; especially with the AAD having a bunch of configuration items in the mix, such as ‘Token configuration’, ‘API permissions’ and ‘Expose an API’. This article hopes to cut all the clutter and un-muddy the water so to speak, around this topic. OIDC As a refresher, the difference between oAuth and OIDC lies in that OIDC is an identity piece laying on top of oAuth. Specifically, with oAuth, ‘access_token’ alone is returned, whereas with OIDC, ‘id_token’ is returned in addition to ‘access_token’. Scope To tell AAD we are using OIDC, the APM needs to include a scope named ‘openid’ in its outbound request to the AAD. This is achieved via the following setting. Within AAD, your application must include ‘openid’, as shown below. By default, the ‘openid’ scope comes with a list of claims that will be included in ‘id_token’. However, for certain claims to be available, additional scopes are also required. For example, if you want to have ‘preferred_username’and ‘name’ claims included, ‘profile’ scope needs to be added as well, as is depicted in the following. AAD also lets you add optional claims via ‘Token configuration’ as shown below. If these optional claims need additional scopes, AAD will add those scopes in for you under ‘API permissions’. On the APM ‘OAuth Client’ configuration, make sure to add those scopes in as highlighted below. Once the APM matches scope with AAD, AAD will include all claims in ‘id_token’ it sends back to the APM. The APM is then able to consume those claims based on the use case (e.g., create a session using email) I am hoping that this short article sheds some light around your integration work around this space.
APM - SAML Attributes Blank
Hello, I am working on implementing a SAML IDP, however I'm running into an issue where the SAML payload is not showing values for the attributes. Example: <saml2:AttributeStatement> <saml2:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"></saml2:Attribute> <saml2:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"></saml2:Attribute> <saml2:Attribute Name="displayname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:AttributeValue xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">email@email.com</saml2:AttributeValue> </saml2:Attribute> The attributes as defined in the IDP Config are: displayname = %{session.logon.last.logonname} email = %{session_logon_last_email} uid = %{session.ad.last.attr.sAMAccountName} What am I missing here?
