Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

APM as a SAML SP and integration of SAML with Sharepoint

Hi all,

I am investigating a scenario where a Sharepoint site is protected by a APM using SAML-authentication and where the claims should also be sent into the Sharepoint site. Now, I came up with the following flow;

  1. Client contacts https://sharepoint.example.com/ which is a VIP with SAML SP access service
  2. sharepoint.example.com's SAML SP Redirects client to f.ex. https://idp.contoso.com/'s SAML IDP URL
  3. Client logs in at idp.contoso.com and is accepted and subsequently redirected to https://sharepoint.example.com/'s SAML SP return-URL with a SAML Token
  4. sharepoint.example.com's SAML SP processes the SAML token and grants access (sets sessioncookies etc.), but, and here's the problem, it should redirect the client to an ADFS 2.0 server's SP with a new SAML-token which is issued by a IdP on the APM. (IdP proxy?)
  5. Client now contacts https://adfs.example.com/'s SAML SP with the SAML token issued by the F5 APM IdP.
  6. ADFS consumes the SAML 2.0 token from the APM IdP and issues a new SAML 1.1 token which the Sharepoint-installation can consume. ADFS now redirects again to https://sharepoint.example.com/'s sharepoint trust-site (/_trust/).
  7. Client now contacts https://sharepoint.example.com/_trust/ with both a F5 session cookie and a SAML token issued by the ADFS (which is trusted by Sharepoint).
  8. Client is granted access to the sharepoint-site.

Sharepoint 2010/2013 only supports SAML 1.1, and APM runs SAML 2.0, so I'll need a "conversion" done by f.ex. ADFS 2.0 which should (!?) be able to talk to both F5 APM (unsure, I haven't tested fully yet) and Sharepoint (this I know for sure).

I have tested point 1-4, but not been able to make the APM redirect again with a new SAML IdP token, it will only redirect (relay state in the SP config) a "normal" connection.

This is a "work in progress" and I am open for any suggestions how this could be done.

0
Rate this Discussion

Replies to this Discussion

placeholder+image

Technically speaking, because SharePoint only understands WIF, its STS must be ADFS. So the traffic looks more like this:

  1. Client contacts a claims-aware SharePoint site and is redirected to its STS (ADFS or ADFS proxy).
  2. ADFS redirects the client to its STS, the APM IdP.
  3. Client contacts APM IdP and authenticates. APM IdP creates an assertion and sends the client back to its relying party (ADFS).
  4. ADFS transforms the claim into a 1.1 token and redirects the client to SharePoint with the new claim.

So you would essentially create a binding between ADFS and APM IdP, and another between ADFS and SharePoint.

The biggest divergence from your description though is in where the SP service sits. If APM is the SP, then it's going to consume the assertion and terminate the SAML authentication. It isn't going to send that same claim to the SharePoint server. It could, but that would require some custom iRule coding (at a minimum: additional processing to get the SAML 2.0 assertion to ADFS for transformation, and a "double trust" such that the APM IdP signs the assertion with a key that both the SP and ADFS can validate). If you need APM to be an SP, you might want to consider doing Kerberos SSO to SharePoint instead.

0
placeholder+image

I need the APM to be the SP as I don't want to let any traffic without a claim through to the Sharepoint or ADFS. If I were to use Kerberos SSO, wouldn't it negate the possibility of "social media logins"? using a Kerberos constrained delegation, I can make the APM request a Kerberos token on behalf of the client and authenticate with the Sharepoint, but that would only work for known domain users, wouldn't it?

My endgame here is to let the APM present a loginpage when a user goes to the sharepoint-site with the ordinary login and add a link to "social media logon" which sends the user off to f.ex. a Azure ACS which handles all the external stuff. When the user does a standard login, I'll use either kerberos SSO or NTLM directly to the Sharepoint-site. If the user opts for social media, I expect the user to come back with a SAML token where the APM consumes the assertion to verify the claim and sends the client on its merry way towards the sharepoint-site with a new claims it understands. As this needs to be issued by ADFS and I don't want the client to have to input more data, I thought the APM needs to issue a new assertion based on the previous claims.

So, based on your answer it seems I would have to do some iRule coding to issue a new SAML 2.0 assertion based on the received claim, to make this work as I envision it? Do you/anyone have an idea of what this would look like? I'll take a deeper look at iRules (I have only barely played with it so far) to see how this could be done, but any hints would be welcome.

0
placeholder+image

Hi Stig, were you able to complete this setup?

Jon Ole

0
placeholder+image

Hi Jon Ole, unfortunately I haven't had the time or resources to follow up on this setup any more. I have merely accepted the lack of this possibility in the APM at this time and moved along for now. I would wish someone at F5 could do something about this. I have gotten replies offlist that this is a good "use-case", but the functionality is still missing.

0
placeholder+image

Ok, I know F5 is working on a APM SAML Sharepoint config guide, check with Per (F5 Norway).

Jon Ole

0
Comments on this Reply
Comment made 05-Feb-2014 by Craig.Stainbrook 0
Do you know if there is any update on the APM SAML Sharepoint config guide, or any other solution from F5 other than putting ADFS in between Sharepoint and APM? Thanks, Craig Stainbrook
0
Comment made 13-Mar-2014 by Joe P 5
Very much desired!
0
Comment made 18-Mar-2014 by Greg 103
Following this. Any update yet?
0
Comment made 02-Oct-2014 by F5Maniac 412
Also following. Any update guys ?
0
placeholder+image

Any update on that ? Thanks

0
placeholder+image

I’m working on using F5 as a SAML idP and I need to emulate a SaaS as SP. I faced a lack of knowledge a round related to how to create such lab “the application demo” to use it as a SP

0