Nimbostratus
CirrusWe use SAML for this. APM can act as SP and IdP and we use it for this.
The best way to setup is:
Here is a link to F5 instructions for how to setup:
https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-12-1-0/29.htmlunique_1485171297
There is another way to setup where you have one F5 SAML IdP for all your applications however you will not want to do this because you won't have the flexibility suggested above to have different configurations on a per-application basis.
I really like this setup because all the "intelligence" about authenticating a user is in the IdP and is not replicated in each SP. In the SP I just do authorisation i.e. is the already authenticated user allowed to use this application. That makes the application's APM policy very simple and generally speaking cookie-cutter; I just copy an existing application's policy and change the group I am authorising against.
As a note, although the document I linked to references SAML artifacts, I couldn't get artifacts to work. This is not required and increases complexity/more moving parts. However it bothers me that I couldn't get it to work :-) so I would appreciate if anyone who has successfully deployed could give pointers.
Evan
NimbostratusEvan,
Thank you very much for taking the time to explain this.
Knowing that it is not only possible but that you have implemented something similar is very encouraging. I completely agree with your take that by separating the core authentication steps to the IdP makes adding new applications a relatively standard procedure. This is what I am hoping to achieve.
I have, using your high-level guide, now put together a skeleton configuration of sorts. I am struggling slightly on the last leg and this may be the nature of the application I am securing. The initial request connects and the client is redirected to the IdP server. Authentication is performed but the IdP service does not seem to redirect the client back to the SP. There may well be configuration errors that I have yet to spot, but could you confirm on a general note, that in your setup, it is possible to perform SP as well as IdP initiated authentication using this method? The errors that I am seeing suggest that I need to end the IdP policy with a webtop and SAML resource assignment rather than relying on SP redirection.
Thanks again for your guidance,
Barny
CirrusIn the IdP's access policy you will need to assign a SAML resource for each application. This provides the linkage between the IdP access policy to the IdP SAML objects and bound SP objects. Once you do this you should find it all works fine, for both IdP and SP-initiated. We use SP-initiated.
Adding a webtop is completely optional and I did not add one. We have a separate webtop portal that has the SAML apps as well as other apps and I thought it would be confusing that a user went to the IdP by accident and saw a webtop that looks very much like our portal with only a fraction of the expected apps.
Evan
CirrostratusDoes this setup cause a single user to have two access sessions created? One for the IdP and the other for SP?
CirrusIf your F5 is both the IdP and SP, then a single user will consume one session for the IdP and one for each SP. So, the minimum number of access sessions is 2, but if you have multiple SP then the user may have more than 2 sessions.