Forum Discussion
We use SAML for this. APM can act as SP and IdP and we use it for this.
The best way to setup is:
- Your IdP is a single virtual server with an APM policy that authenticates the users as you wish and then assigns one SAML resource for each application (via Advanced Resource Assign).
- Each application's SAML resource links to one F5 IdP, so you need to create one IdP per application. Although they are separate they will all have the same entity ID. This allows you to keep SSO between apps but specify different configurations per application; for example, you may want the user's password to be sent (encrypted) to the webtop for SSO to Citrix or apps with form-based auth, where the password should not be sent otherwise, or cloud applications may have specific requirements that are different from your internal apps.
- Each IdP is bound to one SAML SP per application.
- Each application VS has an access policy that contains a SAML Authentication step pointing to an individual SAML SP.
Here is a link to F5 instructions for how to setup:
https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-12-1-0/29.htmlunique_1485171297
There is another way to setup where you have one F5 SAML IdP for all your applications however you will not want to do this because you won't have the flexibility suggested above to have different configurations on a per-application basis.
I really like this setup because all the "intelligence" about authenticating a user is in the IdP and is not replicated in each SP. In the SP I just do authorisation i.e. is the already authenticated user allowed to use this application. That makes the application's APM policy very simple and generally speaking cookie-cutter; I just copy an existing application's policy and change the group I am authorising against.
As a note, although the document I linked to references SAML artifacts, I couldn't get artifacts to work. This is not required and increases complexity/more moving parts. However it bothers me that I couldn't get it to work :-) so I would appreciate if anyone who has successfully deployed could give pointers.
Evan
In the IdP's access policy you will need to assign a SAML resource for each application. This provides the linkage between the IdP access policy to the IdP SAML objects and bound SP objects. Once you do this you should find it all works fine, for both IdP and SP-initiated. We use SP-initiated.
Adding a webtop is completely optional and I did not add one. We have a separate webtop portal that has the SAML apps as well as other apps and I thought it would be confusing that a user went to the IdP by accident and saw a webtop that looks very much like our portal with only a fraction of the expected apps.
Evan