Overview: Configure SAML SP policy workflows¶
Security Assertion Markup Language (SAML) defines a common XML framework for creating, requesting, and exchanging authentication and authorization data among entities known as Identity Providers (IdPs) and Service Providers (SPs). This exchange enables a single sign-on among such entities.
An identity provider is a system or administrative domain that asserts information about a subject. The information that an IdP asserts pertains to authentication, attributes, and authorization. An assertion is a claim that an IdP makes about a subject.
A service provider is a system or administrative domain that relies on information provided by an IdP. Based on an assertion from an IdP, a service provider grants or denies access to protected services.
In simple terms, an IdP is a claims producer, and a service provider is a claims consumer. An IdP produces assertions about users, attesting to their identities. Service providers consume and validate assertions before providing access to resources.
When BIG-IP Next Access acts as a SAML SP, the SP service (type of AAA service in Access) identifies the correct IdP and redirects the user to authenticate against that IdP to allow access to resources behind Access. It requests authentication from an external SAML IdP specified on Access in a SAML IdP connector. You bind a SAML SP service to one or more SAML IdP connectors.
SP initiated vs. IdP initiated¶
SP initiated vs. IdP initiated refers to where the authentication flow starts.
BIG-IP Next Access as SAML SP (SP initiated)¶
In an SP-initiated login, a user tries to access an application by typing the URL in the browser. The BIG-IP Next redirects the call to the SAML IdP. The SAML IDP then provides an interface to collect user credentials and validates the collected credentials against a directory service. Once the credentials are validated, SAML SP (BIG-IP Next) is provided an assertion through a redirect mechanism. Finally, BIG-IP Next uses the SAML assertion, verifies it, and allows the user to access the application.
User accesses SAML SP.
SAML SP redirects the user to SAML IdP, where the user authenticates.
SAML IdP validates the credentials.
SAML IdP redirects user back to SAML SP with SAML assertion.
BIG-IP receives the SAML assertion, verifies it, and provides access to the application.
BIG-IP Next Access as SAML SP (IdP initiated)¶
In an IdP-initiated login, the user tries to access IdP by typing the IdP URL in the browser. The IdP presents an interface to collect user credentials validated against a directory, and an assertion gets created. The IdP may display a construct or an interface, such as a Webtop, for valid credentials. When the user clicks on the application resource, the call is redirected to SP (BIG-IP Next) along with the assertion. BIG-IP Next enforces the assertion received and provides access to the application.
User accesses IdP and authenticates.
SAML IdP validates credentials and collects data from the directory.
After selecting a SAML Resource, SAML IdP redirects the user back to the SAML SP with a SAML assertion.
BIG-IP receives the SAML assertion, verifies it, and allows access to the application.
You can configure a SAML policy using either the BIG-IP Next Central Manager user interface or the BIG-IP Next Central Manager API.
SAML SP policy workflows¶
There are several workflows which can be used to create a SAML policy. Choose the workflow that best fits your situation:
Create a policy with signed authentication requests
Create a policy with an encrypted assertion
Create a policy with an IdP’s assertion verification certificate
Create a policy with attribute consuming services
Create a policy with authentication context classes
Create a policy with an artifact resolution service
Create a policy with multiple IdP connectors
Create a policy with HTTP Headers and Cookies
Create a policy with Kerberos SSO