Forum Discussion

juajua_377157's avatar
juajua_377157
Icon for Nimbostratus rankNimbostratus
Apr 16, 2019

SAML authentication + SSO

I'm trying to build a SAML gateway that would authenticate users from different ADFS/SAML IdPs and then forward the request to a pool with some kind of SSO. I've manged to configure BIG-IP with SP role, and have it use different IdPs depending on the URL. If the client is forwarded to https://hostna.me/corp1 it gets forwarded to Corp1 ADFS, and /corp2 authenticates users against corp2 IdP. I get the username to session.logon.last.username, but I'm wondering what's the best way to forward this info to the back end web servers? And how to do that in access policy editor?

 

Is it also possible to get client redirected to https://hostna.me instead of having the /corp1 or /corp2 as part of the URL.

 

Thanks!

 

application delivery
BIG-IP Access Policy Manager (APM)
LTM

2 Replies

Sort By
  • KeesvandenBos's avatar
    KeesvandenBos
    Icon for MVP rankMVP
    May 07, 2019

    Hi,

     

    You can use kerberos SSO or header/cookie based SSO for this. Kerberos SSO can be configured under SSO configurations and assign it to your access profile (on profile level). You also need to add the SSO credential mapping agent in the VPE. Header/cookie based SSO can be done with an iRule.

     

    How will the BIG-IP SP know to which IdP to redirect the user if they all land on the same URI??

     

    Cheers,

     

    Kees

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    May 07, 2019

    there are too many "forward" in your question...

     

    If I understand well, you are configuring APM as SAML SP authenticating against 2 different SAML IdP based on landing URI (first URI requested when not authenticated yet)

     

    So Authentication is configured as expected, then you are requesting here how to configure SSO with back end server...

     

    When authenticating with external SAML IdP, APM doesn't know the user password. So only passwordless SSO methods are available.

     

    As Kees already answered, the best SSO method is kerberos. easy to configure and available for most of web services (Windows IIS, Apache, tomcat, ...).