Forum Discussion

jonathanw84's avatar
Oct 27, 2021

F5 as an IdP for ArcGIS Online

Hello,

 

I have a request to set up an environment on our F5 as an IdP for ArcGIS Online:

 

"Our team has a handful of issues regarding using F5 BIG-IP and Access Policy Manager as an IDP configured with ArcGIS Online and Enterprise. Creating an environment will allow us to test and resolve issues with this specific implementation."

 

Per the requester, they just need a test environment configured for them to use for troubleshooting purposes and it does not need to be joined to AD. We only have the APM Limited module and have never utilized the F5 for this. I've read some of the documentation but it is still unclear to me how to go about this. What information do I need from the requester to move this forward?

 

Any assistance would be appreciated. Thanks!

 

1 Reply

  • Hi ,

     

    from their website I can see that ArcGIS Online supports SP-initiated SAML logins and IDP-initiated SAML logins.

    Your BIG-IP APM Limited supports SAML. See here for the limitations of APM Limited: K72971039: BIG-IP APM operations guide | Chapter 2: Licenses

     

    There are two flavours of SSO with SAML, SP-initiated or IdP-initiated login. I guess your customer is aksing you to setup SP-initiated login. The login process for SP-initiated login would look as follows.

    1. The user logs in to the Service Provider, in your case ArcGIS Online.
    2. The Service Provider uses the browser to redirect the user back to the BIG-IP APM IdP.
    3. The BIG-IP APM IdP prompts the user to log in.
    4. The system retrieves any required attributes from the user data store to pass on to the Service Provider.
    5. The system uses the browser to send the SAML assertion and any required attributes to the Service Provider.

     

    If this is the use case your customer is looking for, then the documentation for such setup you can find here: Manual Chapter : Using APM as a SAML IdP (no SSO portal)

     

    The other use case is IdP initiated login, if you customer is looking for this, then this is the process:

    1. The user logs in to the BIG-IP APM IdP and the system directs them to the BIG-IP APM webtop.
    2. The user selects the Service Provider, in your case ArcGIS Online.
    3. The system retrieves any required attributes from the user data store to pass on to the Service Provider.
    4. The system uses the browser to direct the request to the Service Provider, along with the SAML assertion and any required attributes.

     

    And there is also a setup guide: Using APM as a SAML IdP (SSO portal)

     

    KR

    Daniel