AWS federation using F5 APM and SAML

Question

It would seem that for just about every other IdP out there there is detailed information for configuration SSO with AWS however I have really struggled to find detailed information on this for F5 APM.&nbsp;
Does anyone have any experience doing this? Getting the basic configuration done is not at all difficult, however when it comes to mapping AD Groups to AWS roles it is difficult to see how to do this in APM. Other IdP's such as ADFS and Shibboleth have options to transform LDAP queries to AWS roles but I have not found anything similar in APM. &nbsp;
If anyone can point me in the right direction that would be great. &nbsp;

robert_teller_7 · Answer

I know this is a little late but take a look at https://devcentral.f5.com/articles/configuration-example-big-ip-apm-as-saml-idp-for-amazon-web-services and let me know if you have any questions.&nbsp;

nick_aslanidis_ · Answer

Hi Robert. Thanks for that, that's excellent and I really appreciate it. There really isn't a lot of information out there on this and as I'm fairly new to both AWS and APM it was proving a little difficult.

I have made progress and do now have it working along the lines of what you've done in your example. In fact your way is a little nicer when it comes to the VPE so I will modify my policy today to simplify it a bit. The only issue that remains for me is handling people who may be in more than one AD group and thus need to be able to access more than one role. The AWS console handles it nicely in that if you have access to more than one role you get the option to choose. I am trying to replicate that with the SAML assertions but it's difficult with the way the multi-valued attributes work. The only way I could see it working was if there's a way to add or remove attribute values based on a group membership. I haven't as of yet found a way to do that yet but if you know of any way of potentially doing that. If not thanks for your assistance anyway.

Nick.

moureg16 · Answer

I’m working on using F5 as a SAML idP and I need to emulate a SaaS as SP.
I faced a lack of knowledge a round related to how to create such lab “the application demo” to use it as a SP&nbsp;

Forum Discussion

AWS federation using F5 APM and SAML

3 Replies

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

Citrix Federated Authentication Service Integration with APM

US FEDERAL: DISA UCCO APL Certification

Enable SAML Service Provider on F5 Distributed Cloud Application

US FEDERAL: CCRI Season Lessons Learned