Forum Discussion
4 Replies
Please take a look at this deployment guide - it should address your needs:
https://www.f5.com/pdf/deployment-guides/saml-idp-saas-dg.pdf
- jzimm_253086Nimbostratus
HI
 
I also have similar setup currently I have 3 x F5 APM IDP's with Google apps, Office365 and Zscaler on 3 seperate vips/apm policies all three use the same back end AAA AD object and are currently SP initiated only.
 
the SAML assertions from all three services as as far as I'm aware/have setup all have differing requirements for the SAML Subject field, Google=email, Office365=UPN, Zscaler=sAMAccountname, and are not changable on the SP side.
 
I have read the above recommended guide and wanted to clarify/ask if is possible to have these 3 SAML assertion subject fields somehow re-produced/recreated by a single F5 IDP object.
 
i also have read the F5 IDP chaining to external IDP guide here: https://devcentral.f5.com/s/articles/apm-cookbook-saml-idp-chaining
 
Im thinking perhaps also chaining the three F5 IDP's together may produce the desired result as well by recreating the SAML assertion between the 3 IDP's
 
All these IDP vips/policies exist on the same device which is a HA pair of appliance BIG-IP's
 
Thanks
 
Jzimm
 
Yes, you most certainly can have it all done on a single IDP. What you do is just take your IDP configurations you already have defined and just consolidated them to a single policy - i.e. assign all SAML resoures to a single APM policy. Of course, you will probably need to update your SAML configs/meta on SP to account for the same ACS instead of using three different ACS URLs - but that should be it. You can run through the iApp as a dummy and see what kind of config it builds when configuring multiple SPs to be federated by a single IDP if you want to be sure your config is exact match of what the iApp creates.
- jzimm_253086Nimbostratus
Thanks for the quick response Michael
I will give it a try
Jzimm