Forum Discussion
We use SAML for this. APM can act as SP and IdP and we use it for this.
The best way to setup is:
- Your IdP is a single virtual server with an APM policy that authenticates the users as you wish and then assigns one SAML resource for each application (via Advanced Resource Assign).
- Each application's SAML resource links to one F5 IdP, so you need to create one IdP per application. Although they are separate they will all have the same entity ID. This allows you to keep SSO between apps but specify different configurations per application; for example, you may want the user's password to be sent (encrypted) to the webtop for SSO to Citrix or apps with form-based auth, where the password should not be sent otherwise, or cloud applications may have specific requirements that are different from your internal apps.
- Each IdP is bound to one SAML SP per application.
- Each application VS has an access policy that contains a SAML Authentication step pointing to an individual SAML SP.
Here is a link to F5 instructions for how to setup:
https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-12-1-0/29.htmlunique_1485171297
There is another way to setup where you have one F5 SAML IdP for all your applications however you will not want to do this because you won't have the flexibility suggested above to have different configurations on a per-application basis.
I really like this setup because all the "intelligence" about authenticating a user is in the IdP and is not replicated in each SP. In the SP I just do authorisation i.e. is the already authenticated user allowed to use this application. That makes the application's APM policy very simple and generally speaking cookie-cutter; I just copy an existing application's policy and change the group I am authorising against.
As a note, although the document I linked to references SAML artifacts, I couldn't get artifacts to work. This is not required and increases complexity/more moving parts. However it bothers me that I couldn't get it to work :-) so I would appreciate if anyone who has successfully deployed could give pointers.
Evan
- Barny_RichesAug 19, 2016Nimbostratus
Evan,
Thank you very much for taking the time to explain this.
Knowing that it is not only possible but that you have implemented something similar is very encouraging. I completely agree with your take that by separating the core authentication steps to the IdP makes adding new applications a relatively standard procedure. This is what I am hoping to achieve.
I have, using your high-level guide, now put together a skeleton configuration of sorts. I am struggling slightly on the last leg and this may be the nature of the application I am securing. The initial request connects and the client is redirected to the IdP server. Authentication is performed but the IdP service does not seem to redirect the client back to the SP. There may well be configuration errors that I have yet to spot, but could you confirm on a general note, that in your setup, it is possible to perform SP as well as IdP initiated authentication using this method? The errors that I am seeing suggest that I need to end the IdP policy with a webtop and SAML resource assignment rather than relying on SP redirection.
Thanks again for your guidance,
Barny
- Evan_Champion_1Aug 20, 2016Cirrus
In the IdP's access policy you will need to assign a SAML resource for each application. This provides the linkage between the IdP access policy to the IdP SAML objects and bound SP objects. Once you do this you should find it all works fine, for both IdP and SP-initiated. We use SP-initiated.
Adding a webtop is completely optional and I did not add one. We have a separate webtop portal that has the SAML apps as well as other apps and I thought it would be confusing that a user went to the IdP by accident and saw a webtop that looks very much like our portal with only a fraction of the expected apps.
Evan
- Walter_KacynskiAug 23, 2016Cirrostratus
Does this setup cause a single user to have two access sessions created? One for the IdP and the other for SP?
- Evan_Champion_1Aug 23, 2016Cirrus
If your F5 is both the IdP and SP, then a single user will consume one session for the IdP and one for each SP. So, the minimum number of access sessions is 2, but if you have multiple SP then the user may have more than 2 sessions.