Multiple F5 IdPs on One Access Profile w/IdP and SP-Initiated Logon

Question

Here is my scenario:&nbsp;
I have multiple external SAML services that we need the F5s to function as an IdP for. The F5s need to support both IdP and SP initiated authentication to all of the external SAML services.&nbsp;
I've tried following the guide https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-2/29.html, but I'm not having any luck so far.&nbsp;
The only way I have been able to support IdP and SP initiated authentication to multiple servers is to associate each IdP's Entity ID to a unique hostname (ex. saml-salesforce.company.com/samlidp/salesforce, saml-webex.company.com/samlidp/webex) and then modify the access profile SSO configuration to multi-domain, associating each hostname with the corresponding SSO Config:&nbsp;
&nbsp;
Is there a better/cleaner way to do this?&nbsp;
I've tried setting all the Entity IDs to the same hostname (ex. saml.company.com/samlidp/salesforce, saml.company.com/samlidp/webex), and changing the access profile domain mode to single domain. Every time I do, SP Initiated SSO fails for any configuration not selected under "SSO Configuration". If I select "None", all SP Initiated SSO fails.&nbsp;
Please let me know if you have any input, or if you have any further questions that I can answer.&nbsp;

michael_koyfma1 · Answer

I think there is some confusion there.  Have you seen this part of the documentation?&nbsp;
https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/28.html&nbsp;
If you want to support SP and IDP-initiated connections, then you need to create SAML Resource objects and assign them to the webtop.  So, the best practice setup for you would be to create unique IDP object per each SP you have(the entity ID can be the same/redundant across all IDP configs), then bind each IDP and SP connector together, create SAML Resource object, and assign all SAML resource objects to the webtop.  &nbsp;
After that, you should have both SP and IDP-initiated logins work without issues - do  not assign anything to the SSO at the Access Profile level in order for this work.&nbsp;

nifford · Answer

Right you are. I modified the configuration, and it is working as expected now. I believe I tried this before, but I must have had something assigned for SSO at the Access Profile level. Which explains why it didn't work the first time.&nbsp;
Thanks for your time and input.&nbsp;

michael_koyfma1 · Answer

Thrilled to see you succeed there.

Forum Discussion

Multiple F5 IdPs on One Access Profile w/IdP and SP-Initiated Logon

3 Replies

Recent Discussions

LDAPS and renegotiation

Need help on i-rule to specific uri path

vulnerabilities-CVE-2020-16150 & CVE-2013-0169

Reverse Proxy Not Behaving

F5 terminal - help to run commands - disk space full

Related Content

SSL Profiles

SSL PROFILE - How to use multiple SSL Profile Client in Virtual Server

F5 Distributed Cloud – Multiple custom certificates for HTTP/TCP LB

Server Profile SNI

AS3 - Create multiple client ssl profiles to a single virtual server.