APM/LTM 12.1: SAML IdP and SP possible in one VE?

Question

Hi,
Is it possible to run an SAML IdP and one (or better: more) SPs on one VE?
I found a sentence in the doc: In a federation of BIG-IP-Systems, one BIG-IP System acts as a SAML Identity Provider and other BIG-IP systems act as SAML service providers.&nbsp;
Our environment isn't that demanding, so one VE-cluster could take the load easily.&nbsp;
The use case is as follows:&nbsp;
APM 12.1.3 for SSO for resources, some of them (still) form-based, one external as SAML-SP up and running.On premises, we have a cluster of 3 servers running OpenExchange, offering HTTP, HTTPS, IMAP and other up and running.An LTM load balancer is set up for that cluster, running for the cluster above, up and running.
Now, I want to have a SAML resource on the SSO-portal for that load balancer for HTTPS.
Unsuccessful so far to get that one. AND not sure if that even can be done. ;)&nbsp;
Any clues?
Thanks in advance,
HP.&nbsp;

daniel_varela · Answer

It is possible, I have done that many times in my lab. You need to be careful and configure you vs with different dns names to avoid get the browser to send the apm cookie it has for the Idp session when it access the Sp (the sp will be confused to see apm cookies for a session that is not started)&nbsp;
Keep in mind that you are doubling up the number of sessions in this deployment, one for the Idp and one for the Sp. &nbsp;

psilva · Answer

We got a Lightboard Post of the Week for this!&nbsp;
https://devcentral.f5.com/articles/post-of-the-week-saml-idp-and-sp-on-one-big-ip-30680&nbsp;
ps&nbsp;

migara_61430 · Answer

BTW this will only work if you're not using HTTP artifact binding with SAML2.0. &nbsp;
Having said that you can still configure artifact resolution service if you use HTTP for your VSs. That will come in handy if you just want to lab test, but not for production use for obvious reasons.&nbsp;
[Artifact resolution service] https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/27.html&nbsp;

henrik_s · Answer

Could you please elaborate on why this does not work with HTTPS and artifact binding on the same BIG-IP instance? I see the TCP handshake from the host not beein followed up by a client_hello for TLS but rather sending a straight HTTP-post.&nbsp;
When I read your comment I changed to HTTP and that works, but is really suboptimal..&nbsp;

Forum Discussion

APM/LTM 12.1: SAML IdP and SP possible in one VE?

4 Replies

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

User roles per partition: are multiple possible?

iRule to set SameSite for compatible clients and remove it for incompatible clients (LTM|ASM|APM)

Simplifying Local Traffic Policies In BIG-IP 12.1

Modify vCMP-Guest with ansible not possible?

APM vs LTM