APM Cookbook: SAML IdP Chaining
As an APM subject mater expert at F5 I often find myself in situations where a customer or colleague needs an example of a particular configuration. While most of these requests are easily handled with a call or WebEx I'm a firm believer in sharing knowledge through documentation.. and I don't like getting calls at 3 AM. If you're like me you grew up with the O'Reilly Cookbook series which served as a great reference document for various development or server configuration tasks. My goal is to create a similar reference resource here on DevCentral for those one-off scenarios where a visual example may help your complete your task. For the first APM Cookbook series I'll discuss SAML IdP chaining. Overview Security Assertion Markup Language, more commonly known as SAML, is a popular federated authentication method that provides web based single sign-on. One of the key security advantages to SAML is the reduction in username/password combinations that a user has remember... or in my experience as a security engineer the number of passwords written on a post-it note stuck to their monitor. There are two major services in a SAML environment: IdP - Identity Provider SP - Service Provider The identity provider is the SAML service that authenticates the user and passes an assertion to then service providers proving the user's identity. F5's APM performs both IdP and SP services and allows customers to easily deploy federated authentication in their environment. In more complex scenarios you may run across a requirement where multiple SAML IdPs need to be chained together. This comes up from time to time when customers have contractors that utilize federated authentication for authorization to corporate resources. Example For our configuration we have the Globex Corporation that uses APM to authenticate uses to Office 365. Globex hire contractors from Acme Corp. who authenticate using the Acme Corp. ADFS environment. However, since Office 365 is configured to authenticate against the Globex APM we need to convert the Acme Corp. SAML assertion into a Globex SAML assertion, which is known as IdP chaining. The step ladder for this process is shown below: 1. User requests https://outlook.com/globex.com 2 - 3. Office 365 redirects user to idp.globex.com 3 - 4. idp.globex.com determines user is a contractor and redirect user to sts.acme.com 5 - 8. User authenticates using Acme credentials and is then redirect back to idp.globex.com 9. idp.globex.com consumes the Acme SAML assertion and creates a Globex SAML assertion 10. User is redirected back to Office 365 11 - 12. Office 365 consumes the Globex SAML assertion and displays the user's mail Configuration To configure your APM SAML IdP to accept incoming assertion from sts.acme.com we need to create an external SP connector. Under the Access Policy -> SAML -> BIG-IP as SP configuration section: 1. Create a new SAML SP Service 2. Export the SP metadata and configure sts.acme.com accordingly (follow your IdP vendor's documentation) 3. Click the External IdP Connectors menu at the top 4. Click the dropdown arrow on the create button and choose From Metadata (import the metadata from sts.acme.com) 5. Bind the Local SP service to the external IdP connector Now that idp.globex.com and sts.acme.com are configured to trust one another we need to configure the APM IdP to consume the sts.acme.com SAML assertion. The IdP's Visual Policy Editor should look similar to the image below: 1. The Decision Box asks the user what company they're with. This is a simple example but more elaborate home realm discovery techniques can be used. 2. The SAML Auth box is configured to consume the sts.acme.com assertion 3. Since we no longer have a login form on the IdP we need to set a few APM session variables: session.logon.last.username = Session Variable session.saml.last.identity session.logon.last.logonname = Session Variable session.saml.last.identity 4. Create an Advanced Resource Assign that matches your existing IdP Advance Resource Assign. Conclusion This particular post was a little longwinded due to the steps required but overall is a fairly simple configuration. So the next time someone asks if your F5 can do IdP chaining you can confidently reply "Yes and I know how to do that".BIGIP IdP, SP, Webtop?
I have read documentation but I started to get confused with what I need. I am trying to build a webportal (webtop) on my edge to allow access to protected systems. The Webtop will present the BIGIP portal to authenticate and force MFA with DUO and create the assertions for the protected systems on the back side of BIGIP that are SAML based. What would be the configuratio required to accomplish this? Do I need to make BIGIP act as IdP, or SP or both? or Federate BIGIP portal? Is there any documentation?
SAML Azure IdP and SSO between multiple VS
Hi, We are looking at a solution to setup SAML authentication with Azure IdP. We don’t have any problem to esablish the Federation and publish single App (for example app.corp.com). Basically we create a Federation and register app.corp.com as Enterprise App in Azure. Export & Import Metadata and everything works fine. However our issue is that we have a lot of applications to secure (~150 App). All these Apps are directly accessible from the browser. That means no need to login on a APM portal to get access. We are looking for a solution to avoid registering these 150 apps in Azure as specific applications. Do you know if there is a way to implement a SSO between all apps and only register one VS (for example auth.corp.com with Azure IdP)? That would clearly simplify the setup Tried this without success : https://devcentral.f5.com/s/articles/post-of-the-week-saml-idp-and-sp-on-one-big-ip-30680 If not possible via direct access do you think using APM portal could help on this? ThanksF5 SAML IdP with Okta User Facing
Currently have F5 APM set up as a SAML IdP for ~10 SaaS providers. We also have an Okta environment set up with it's own SAML connections to other SaaS providers. We would like to start sending users 100% through Okta but do not want to migrate the current F5 IdP connections to Okta for reasons too long to describe here. Has anyone ever had users authenticate into Okta and at the same time be given access to all the SAML resources on the F5? If I made the F5 an SP for Okta, could I assign the existing F5 SAML resources and allow the user through? I don't believe this would work but am unable to think of other ways to achieve this. Any thoughts would be appreciated.
BigIP as both a SAML IdP and SP, correct APM SSO config options
We have setup the BigIP as both an IdP and and multiple SPs. Its really neat that the BigIP can provide both roles, however, the documentation seems to be lacking the proper setup for the SSO tab for each of the APM security policies that are configured on the IdP and SPs respectively. For example: IdP = https://auth.example.com/idp SP1 = https://mail.example.com/sp SP2 = https://confluence.example.com/sp For each these above we have a unique APM security profile and the scope for each is set to "Profile" not "Global". So the question is what do we select in the "SSO / Auth domains" tab for each of these APM profiles?, the options are: Domain Mode: single domain or multiple domain? Domain Cookie: blank or example.com or the fqdn of the resource the APM profile is protecting. Cookie options: we are selecting "Secure" check box SSO configuration: blank or should it be the SSO configuration that was automatically created when we created our IdP? Again, the documentation is not clear on what is correct for these settings and I hope a discussion of this will help those out there deploying this configuration!APM IdP - import a metadata file using tmsh
I have a APM solution set up as an IdP. I get sent metadata files when setting up an SP connector. This can be done via the F5 GUI but i want to know if you can also do this CIA the TMSH command line? Can you SCP the metadata xml to the APM then import there?iRule - Access to External IdP connectors
Hi, I have APM setup as a Service Provider with multiple IdP connectors. I was wondering if there is a way to get at the list of IdP connectors and the matching values I have setup in as part of an iRule? I'm trying to work out where someone is coming from, and the logic runs before it gets to the access policy and 'SAML Auth' part of the process. I was hoping to use the IdP external connectors instead of creating a datagroup that just duplicates what I already have. Cheers, Simon
SAML IDP-initiated without webtop
so i have 1 SP initiated SAML setup and working. i have another request to setup an IDP initiated SAML connection. i have get it to work successfully following the guide but after signing into the F5 the users have to click the link in the webtop. from research i know i should be able to send them directly to the correct SAML resource but i have not been able to figure it out. any help would be great? this is the guide i followed https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-saml-config-guide-11-3-0/2.htmlunique_882574450
