Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters

AWS federation using F5 APM and SAML

It would seem that for just about every other IdP out there there is detailed information for configuration SSO with AWS however I have really struggled to find detailed information on this for F5 APM.

Does anyone have any experience doing this? Getting the basic configuration done is not at all difficult, however when it comes to mapping AD Groups to AWS roles it is difficult to see how to do this in APM. Other IdP's such as ADFS and Shibboleth have options to transform LDAP queries to AWS roles but I have not found anything similar in APM.

If anyone can point me in the right direction that would be great.

Rate this Question

Answers to this Question


I know this is a little late but take a look at https://devcentral.f5.com/articles/configuration-example-big-ip-apm-as-saml-idp-for-amazon-web-services and let me know if you have any questions.

Comments on this Answer
Comment made 05-Oct-2015 by Nick Aslanidis 82
Hi Robert. Thanks for that, that's excellent and I really appreciate it. There really isn't a lot of information out there on this and as I'm fairly new to both AWS and APM it was proving a little difficult. I have made progress and do now have it working along the lines of what you've done in your example. In fact your way is a little nicer when it comes to the VPE so I will modify my policy today to simplify it a bit. The only issue that remains for me is handling people who may be in more than one AD group and thus need to be able to access more than one role. The AWS console handles it nicely in that if you have access to more than one role you get the option to choose. I am trying to replicate that with the SAML assertions but it's difficult with the way the multi-valued attributes work. The only way I could see it working was if there's a way to add or remove attribute values based on a group membership. I haven't as of yet found a way to do that yet but if you know of any way of potentially doing that. If not thanks for your assistance anyway. Nick.

I’m working on using F5 as a SAML idP and I need to emulate a SaaS as SP. I faced a lack of knowledge a round related to how to create such lab “the application demo” to use it as a SP