Forum Discussion
We use SAML for this. APM can act as SP and IdP and we use it for this.
The best way to setup is:
- Your IdP is a single virtual server with an APM policy that authenticates the users as you wish and then assigns one SAML resource for each application (via Advanced Resource Assign).
- Each application's SAML resource links to one F5 IdP, so you need to create one IdP per application. Although they are separate they will all have the same entity ID. This allows you to keep SSO between apps but specify different configurations per application; for example, you may want the user's password to be sent (encrypted) to the webtop for SSO to Citrix or apps with form-based auth, where the password should not be sent otherwise, or cloud applications may have specific requirements that are different from your internal apps.
- Each IdP is bound to one SAML SP per application.
- Each application VS has an access policy that contains a SAML Authentication step pointing to an individual SAML SP.
Here is a link to F5 instructions for how to setup:
https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-12-1-0/29.htmlunique_1485171297
There is another way to setup where you have one F5 SAML IdP for all your applications however you will not want to do this because you won't have the flexibility suggested above to have different configurations on a per-application basis.
I really like this setup because all the "intelligence" about authenticating a user is in the IdP and is not replicated in each SP. In the SP I just do authorisation i.e. is the already authenticated user allowed to use this application. That makes the application's APM policy very simple and generally speaking cookie-cutter; I just copy an existing application's policy and change the group I am authorising against.
As a note, although the document I linked to references SAML artifacts, I couldn't get artifacts to work. This is not required and increases complexity/more moving parts. However it bothers me that I couldn't get it to work :-) so I would appreciate if anyone who has successfully deployed could give pointers.
Evan
Evan,
Thank you very much for taking the time to explain this.
Knowing that it is not only possible but that you have implemented something similar is very encouraging. I completely agree with your take that by separating the core authentication steps to the IdP makes adding new applications a relatively standard procedure. This is what I am hoping to achieve.
I have, using your high-level guide, now put together a skeleton configuration of sorts. I am struggling slightly on the last leg and this may be the nature of the application I am securing. The initial request connects and the client is redirected to the IdP server. Authentication is performed but the IdP service does not seem to redirect the client back to the SP. There may well be configuration errors that I have yet to spot, but could you confirm on a general note, that in your setup, it is possible to perform SP as well as IdP initiated authentication using this method? The errors that I am seeing suggest that I need to end the IdP policy with a webtop and SAML resource assignment rather than relying on SP redirection.
Thanks again for your guidance,
Barny