F5 BIG-IP APM - SAML

There are lots of companies which use software in the cloud. I mean, there are companies which use Software as a Service (SaaS) in the cloud instead of installing the software on site. This is a great advantage because it is usually cheaper and, what’s more, companies don’t have to be worried about upgrades and maintenance tasks. However, when companies have lots of users which have to access to this software, companies want to manage the user database to allow or deny users to the SaaS application.

OAuth, SAML and OpenID are some standards ready for the decentralized authentication. Therefore, thanks to these standards, companies can use SaaS applications while the user database is on site. For instance, this can be accomplished with SAML or the Security Assertion Markup Language where there are an Identity Provider (IdP) and many Service Providers (SP) as SaaS applications. The IdP could be configured in a pair of F5 BIG-IP APM while the SP would be Google Apps, AWS, Office 365, etc.

Fortinet SAML service

When we use a decentralized authentication as SAML with F5 APM, there are four steps. Firstly, user logs on to the IdP and is directed to a web portal. Secondly, user selects a SaaS application from the web portal. Thirdly, F5 APM may retrieve attributes from the user database to pass on with the SaaS service provider. Finally, APM directs the requests to the SaaS service with the SAML assertion and optional attributes via the user browser. However, there are another similar configuration with five steps, where the user access the the SaaS service in the first place. It’s up to you which one suit with your infrastructure.

Configuration example

 

There are SaaS services which may require attributes such as account ID, Role or whatever and these attributes have to be sent to the application from the IdP through the user web browser. For instance, AWS SAML assertions use two SAML attributes. The first is used to identify the Username that is associate with the session, and the second identifies the AWS Security Role that should be assigned to the session.

AWS SAML Attributes

 

F5 APM can be configured as an IdP as well as SP. Once you know the concepts, the SAML configuration is easy to deploy in F5 APM thanks to iApps and the Visual Policy Editor (VPE) where the IT engineer is going to answer many questions in the wizard and is going to modify the boxes in the VPE to fit the configuration to the infrastructure. The VPE is an useful tool which help us to add and delete boxes such as a webtop with many SaaS applications.

Visual Policy Editor

 

If you would like to test a configured federated domain with your F5 APM against AWS, you can do it with this Assertion Consumer service URL (https://signin.aws.amazon.com/saml). Once you type the Active Directory credentials, the BIG-IP system should issue SAML Assertion to the SaaS application. Nevertheless, if you have any issue, you can use the Firefox SAML Tracer Plugin, HTTP Watch or Fiddler to trace them.

Regards my friends. Keep learning! Keep studying!