SAML for o365, google apps and cloud proxy

Please take a look at this deployment guide - it should address your needs:

https://www.f5.com/pdf/deployment-guides/saml-idp-saas-dg.pdf

HI

 

I also have similar setup currently I have 3 x F5 APM IDP's with Google apps, Office365 and Zscaler on 3 seperate vips/apm policies all three use the same back end AAA AD object and are currently SP initiated only.

 

the SAML assertions from all three services as as far as I'm aware/have setup all have differing requirements for the SAML Subject field, Google=email, Office365=UPN, Zscaler=sAMAccountname, and are not changable on the SP side.

 

I have read the above recommended guide and wanted to clarify/ask if is possible to have these 3 SAML assertion subject fields somehow re-produced/recreated by a single F5 IDP object.

 

i also have read the F5 IDP chaining to external IDP guide here: https://devcentral.f5.com/s/articles/apm-cookbook-saml-idp-chaining

 

Im thinking perhaps also chaining the three F5 IDP's together may produce the desired result as well by recreating the SAML assertion between the 3 IDP's

 

All these IDP vips/policies exist on the same device which is a HA pair of appliance BIG-IP's

 

Thanks

 

Jzimm

 

Yes, you most certainly can have it all done on a single IDP. What you do is just take your IDP configurations you already have defined and just consolidated them to a single policy - i.e. assign all SAML resoures to a single APM policy. Of course, you will probably need to update your SAML configs/meta on SP to account for the same ACS instead of using three different ACS URLs - but that should be it. You can run through the iApp as a dummy and see what kind of config it builds when configuring multiple SPs to be federated by a single IDP if you want to be sure your config is exact match of what the iApp creates.

Thanks for the quick response Michael

I will give it a try

Jzimm