Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Use APM to access a web server (SP) requiring SAML by using a ADFS server (IdP)

Hi,
At the moment I have a web server (Service Provider) and a Windows ADFS server (Identity Provider) which allows users on the main network to visit. (Work PC > Webserver > IdP > Webserver > now authenticated)

I am now trying to set this up so users can access the web server remotely by using the F5 APM module. One option is that I set the F5 up as an IdP and connect to the SP. However, the web server is a SaaS and cannot be easy changed. For example I cannot change the SP to accept tokens from the F5.

So my question is, can I somehow get the F5 to use the Windows ADFS server to assert the tokens on it's behalf. And how can I do this.

Thanks for your time.

Image Text

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

After days of researching and after posting this question. I have no found https://support.f5.com/kb/en-us/solutions/public/17000/000/sol17041.html which looks like it will solve the problem. Can anyone possibly confirm?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Danfraser,

figure 3.) would be suitable, if you want to make your internal AD FS securely accessible over the internet (aka. using APM PreAuth with credential delegation).

But additional steps may be required to make your SaaS application accessible over the internet, too (aka. using the same APM PreAuth but without credential delegation).

The combination of both would create a strong protection for both services and would allow the SaaS application to still use AD FS as a authentication provider.

Cheers, Kai

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi, I am planning to configure same (ADFS as iDP and F5 APM as SP). I couldn't find any documentation and help on it wonder someone can guide me. I have APM Policy as

Start -> SAML Auth -> SSO Credentail Mapping -> Allow

                                            Deny

I imported XML file into External Idp Connectors under SAML-> BIG IP as SP

Local SP Services configured as following General Setting ~~~~~~~~~~~~~~~ Name: F5-SP Entity ID: https://login.example.com SP Name Settings: Scheme: https Host: login.example.com

Endpoint Settings: ~~~~~~~~~~~~~~~~~ Assertion Consumer SErvice Binding: POST

Security Settings: Checked "Authentication Request" (certificate and Keys are selected different than ADFS) Checked: Want Signed Assertion Unchecked: Want Encrypted Assertion

Advanced Setting: Unchecked: Force Authentication Checked: Allow Name-Identifier Creation

Name-Identifier Policy Format: urn:oasis:names:tc:SANL:1.1:nameid-format:WindowsDomainQual...

SP Name-Identifier Qualifier: None

I am getting following error: /frontend/F5-SP:frontend:dbad7144: Executed agent '/frontend/F5-SP_act_saml_auth_ag', return value 3 /frontend/F5-SP:frontend:dbad7144: Session variable 'saml./frontend/F5-SP_act_saml_auth_ag.SAMLRequest' set to 'hhhhhhhhhhhhXXXXXX' /frontend/F5-SP:frontend:dbad7144: SAML Agent: /frontend/F5-SP_act_saml_auth_ag SAML assertion is invalid, error: Assertion status is not successful /frontend/F5-SP:frontend:dbad7144: Executed agent '/frontend/F5-SP_act_saml_auth_ag', return value 0 /frontend/F5-SP:frontend:dbad7144: Following rule 'fallback' from item 'SAML Auth' to ending 'Deny'

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I'm also trying to implement similar configurations. We host SaaS application for our clients. So we would like to have APM as SP which will communicate with client's IDP (could be anything).

0