Here is a general question on the functionality of the F5 APM module; we have been testing out SSO connections such as WebEx, ShareFile, (SP initiated). The original idea was to share or reuse the infrastructure, such as https://saml.domain.com to provide assertions with a public presence and a real certificate. I’m quickly realizing that SPs need conflicting settings in regards to subject type. Is the only solution to create additional SP domains to handle the various types, along with additional certificates? I expect 3-4 would cover the majority of the SPs that require emailAddress versus Unspecified etc. Attributes seem to not be an issue as you can value many or any. Or is there a way to value subject type based on the unique SP connectors? Thanks for the help.

If I understand you right, I think you might be under misconception about how SAML IDP configuration works on the BIG-IP. You can certainly have multiple IDP/SP bindings configured on the same virtual server. To fully visualize how it happens, I suggest you leverage this iApp to setup your initial federation with a couple of SaaS apps and take a look at the config it creates - should hopefully be self-explanatory after that. :) If not, fire away your questions here. https://devcentral.f5.com/codeshare/saas-federation-iapp

Thanks Michael, I'll check that out.

Just to clarify my train of thought, we do have multiple bindings on our (Local IdP Service) which are various SP connectors. What I'm trying to determine is if there is in fact a 1-to-1 relationship between [Local IdP Service]-[Access Profile]-[Virtual Server]. The Access Profile and Virtual Server have a dropdown which associate to each other. I'd like to create a new [Local IdP Service] and reuse the same [Access Profile] and [Virtual Server]. The new [Local IdP Service] is needed since I need a new Subject Type. I'll try out that iApp, it is possible I am missing a key configuration piece. Version - BIG-IP 11.5.3 Build 1.0.167 Hotfix HF1 Thanks, Mike

APM SP connections - Subject Types

12 Replies

Michael_Koyfman
Cirrocumulus
Jul 19, 2016
If I understand you right, I think you might be under misconception about how SAML IDP configuration works on the BIG-IP. You can certainly have multiple IDP/SP bindings configured on the same virtual server. To fully visualize how it happens, I suggest you leverage this iApp to setup your initial federation with a couple of SaaS apps and take a look at the config it creates - should hopefully be self-explanatory after that. :) If not, fire away your questions here.

https://devcentral.f5.com/codeshare/saas-federation-iapp
- MC_273315
  Cirrus
  Jul 19, 2016
  Thanks Michael, I'll check that out.
- MC_273315
  Cirrus
  Jul 20, 2016
  Just to clarify my train of thought, we do have multiple bindings on our (Local IdP Service) which are various SP connectors.
  
  What I'm trying to determine is if there is in fact a 1-to-1 relationship between [Local IdP Service]-[Access Profile]-[Virtual Server]. The Access Profile and Virtual Server have a dropdown which associate to each other. I'd like to create a new [Local IdP Service] and reuse the same [Access Profile] and [Virtual Server]. The new [Local IdP Service] is needed since I need a new Subject Type.
  
  I'll try out that iApp, it is possible I am missing a key configuration piece. Version - BIG-IP 11.5.3 Build 1.0.167 Hotfix HF1
  
  Thanks, Mike
- Michael_Koyfman
  Cirrocumulus
  Jul 21, 2016
  I hope things will be self-explanatory once you see the config produced by the iApp. The gist is that you do not have to assign the IDP service to Access Profile as the SSO, but rather as SAML Resource in the VPE, and you can have multiple IDP-to-SP mappings assigned there.
Michael_Koyfma1
Cirrus
Jul 19, 2016
If I understand you right, I think you might be under misconception about how SAML IDP configuration works on the BIG-IP. You can certainly have multiple IDP/SP bindings configured on the same virtual server. To fully visualize how it happens, I suggest you leverage this iApp to setup your initial federation with a couple of SaaS apps and take a look at the config it creates - should hopefully be self-explanatory after that. :) If not, fire away your questions here.

https://devcentral.f5.com/codeshare/saas-federation-iapp
- MC_273315
  Cirrus
  Jul 19, 2016
  Thanks Michael, I'll check that out.
- MC_273315
  Cirrus
  Jul 20, 2016
  Just to clarify my train of thought, we do have multiple bindings on our (Local IdP Service) which are various SP connectors.
  
  What I'm trying to determine is if there is in fact a 1-to-1 relationship between [Local IdP Service]-[Access Profile]-[Virtual Server]. The Access Profile and Virtual Server have a dropdown which associate to each other. I'd like to create a new [Local IdP Service] and reuse the same [Access Profile] and [Virtual Server]. The new [Local IdP Service] is needed since I need a new Subject Type.
  
  I'll try out that iApp, it is possible I am missing a key configuration piece. Version - BIG-IP 11.5.3 Build 1.0.167 Hotfix HF1
  
  Thanks, Mike
- Michael_Koyfma1
  Cirrus
  Jul 21, 2016
  I hope things will be self-explanatory once you see the config produced by the iApp. The gist is that you do not have to assign the IDP service to Access Profile as the SSO, but rather as SAML Resource in the VPE, and you can have multiple IDP-to-SP mappings assigned there.

Forum Discussion

APM SP connections - Subject Types

12 Replies

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

Application Programming Interface (API) Authentication types simplified

X509 Subject Formatting

BIG-IP Advanced Firewall Manager (AFM) DNS NXDOMAIN Query Attack Type Walkthrough - part two

BIG-IP Advanced Firewall Manager (AFM) DNS NXDOMAIN Query Attack Type Walkthrough

Securely connecting Kubernetes Microservices with F5 Distributed Cloud