How to: Create SAML SP policy workflows using BIG-IP Next Central Manager¶

This content provides Workflows for creating basic SAML policies. There are steps included for using either the GUI or API calls for each of the following policy types.

Create a policy with signed authentication requests
Create a policy with an encrypted assertion
Create a policy with an IdP’s assertion verification certificate
Create a policy with attribute consuming services
Create a policy with authentication context classes
Create a policy with an artifact resolution service
Create a policy with multiple IdP connectors
Create a policy with Kerberos SSO

Create a policy with signed authentication requests¶

Configure a SAML policy with signed authentication requests if you want the SP (BIG-IP) to send signed authentication requests to an IdP.

Using BIG-IP Next Central Manager GUI¶

In this example, we use the BIG-IP Next Central Manager user interface to create a new SAML service provider (SP) Access policy with signed authentication requests.

Log in to BIG-IP Next Central Manager as admin, click the Workspace icon, click Security, and then click Access.
At the top of the screen, click Create.
The Visual Policy Designer (VPD) workspace opens.
At the top of the page, click the icon.
The Create Policy page opens.
Type a Policy Name for the policy.
Scroll through the remaining (optional) properties and revise any value that you want to change from its default setting.
Click Save & Continue.
The Session Properties tab of the Create Policy page opens.
Scroll through the properties on this tab and revise any value that you want to change from its default setting.
Click Save & Continue.
The Logging tab of the Create Policy page opens.
Select the logging level for Traffic Manager.
Select the logging level for Web SSO.
Select the logging level for Access Policy.
Select the logging level for Renderer.
Click Save & Continue.
The Single Sign-On tab of the Create Policy page opens.
To specify a single sign-on method for this policy, click Start Creating, then select a method.
- For details about specifying an HTTP Basic method, see HTTP Basic SSO.
- For details about specifying a Kerberos method, see Kerberos SSO.
Click Save & Continue. The Policy Endings tab of the Create Policy page opens.
Confirm that the policy endings are correctly set and then click Save & Finish.
The VPD workspace opens.
Drag the Basic-SAML-Auth flow into the VPD workspace.
On the Basic-SAML-Auth flow, click the icon.
The flow expands so you can edit it.
Hover the cursor over the SAML_Auth rule and then click the icon.
The General Properties tab of the Rule Configuration page opens.
Specify General Properties for the policy.
1. For Service Name, type the name for the service.
2. Click Save & Continue.
  The Providers tab opens.
Under Service Providers, click Edit. The Add Service Provider page opens.
For Audience URI (Entity ID), confirm that the URI for the service is correct.
For Host, confirm that the URl for the website is correct.

Note: The URL must include the scheme & hostname. Host is only required if the entity ID is not in URL format.
Under Security Properties, select Sign Authentication Requests.
From Message Signing Certificate and Key, select a certificate and key pair.
Under Security Properties, clear the Want Encrypted Assertion checkbox.
Scroll through the remaining (optional) properties and revise any value that you want to change from its default setting.
Click Save to save the Service Provider settings and return to the Providers tab.
Under Identity Providers, decide whether you are going to specify settings for the provider or import them.
- To specify settings for an identity provider:
  1. Click Start Creating.
    The Add Identity Provider page opens.
  2. For Issuer (Entity ID), type the ID for the identity provider.
  3. For Single Sign-on Service URL, type the URL for this connector.
  4. Click Save.
- To import settings for an identity provider from a file:
  1. Click Import, then select Import from metadata.
    The Import from metadata page opens.
  2. Drag and drop or browse to the file you want to import.
    When you complete your selection, BIG-IP Next Central Manager imports the settings from the file you chose and displays them on screen.
  3. When you are satisfied with the settings, click Save.
- To import settings for an identity provider from a URL:
  1. Click Import, then select Import from URL.
    The Import from URL screen opens.
  2. Enter the URL provided by your identity provider and click Enter.
    BIG-IP Next Central Manager imports the settings from the URL you chose and displays them on screen.
  3. When you are satisfied with the settings, click Save.
On the Providers tab of the Rule Configurations page, click Save & Continue.
The Branches tab of the Rule Configurations page opens.
Under Branches, click Create.
The Branches page opens.
Under Expression, select a Context and a Condition for this branch, then select the option appropriate for the context you selected.
Add any (optional) AND or OR branches needed for the policy, and then click Save & Finish.
On the Branches tab of the Rule Configuration page, click Save & Finish.
The VPD workspace displays the revised policy.
Review the policy in the VPD workspace; then, when you are satisfied with the settings, click Save & Finish to finish creating the policy.
BIG-IP Next Central Manager adds the policy to the Access Policies list.

Using BIG-IP Next Central Manager API¶

In this example, we use the BIG-IP Next Central Manager application programming interface (API) to create a new SAML service provider (SP) Access policy with a signed authentication request.

isAuthnRequestSigned: Set this property to True to send signed authentication requests.
signingCertificate: Specify this property to request a certificate from those in the BIG-IP Next store.

Note: This property specifies the name value of the signing certificate file you used to upload a signing certificate. The MIME-type for fileName in the request payload is application/x-pem-file.
signingPrivateKey: Specify this property to request a key from those in the BIG-IP Next store. SP (BIG-IP Next) uses this private key to sign the authentication request sent to the IdP.

Note: This property specifies the name value of the signing private key file you used to upload a signing private key. The MIME-type for fileName in the request payload is application/pkcs8.

In addition, the wantAuthnRequestSigned property in the externalServers object should be set to True.

Authenticate with the BIG-IP Next Central Manager API. For details refer to How to: Authenticate with the BIG-IP Next Central Manager API.

Create the policy by sending a Post to the /api/v1/spaces/default/security/access-policies endpoint.

POST https://{{big-ip_next_cm_mgmt_ip}}/api/v1/spaces/default/security/access-policies

For the API body, use the following, substituting values appropriate for the policy you want to create.

{
    "type": "PerSession",
"policy_type": "PerSession",
 "name": "SamlPerRequestPolicy",
 "properties": [
  {
   "configuration": {
    "timeout": 0,
    "inactivityTimeout": 0,
    "maxSessionTimeout": 0,
    "policyType": "PerSession",
       "profileType": "ltm-access",
    "scope": "profile",
    "policy": {
     "objectContent": {
      "name": "SAML_SP_configuration",
      "languages": [
      "en",
      "de"
      ],
      "defaultLanguage": "en",
      "caption": "Sample_SAML_SP_Access_Policy",
      "start": {
       "itemType": "saml",
       "name": "SAML_Auth",
       "nextItems": [
        {
         "itemType": "allow",
         "name": "Allow",
         "expression": "expr {[mcget {session.saml.last.result}] == 1}"
        },
        {
         "itemType": "deny",
            "name": "Deny"
        }
       ],
       "service": {
        "name": "Sample_SAML_SP_Service",
        "entityId": "app.f5demo.com",
        "spURI": "https:\\/\\/app.f5demo.com",
        "wantAssertionSigned": false,
        "idpConnectors": [
          {
          "name": "First_IDP_Connector",
          "matchingSource": "%{session.server.idpname}",
          "matchingValue": "idp1.partner.com"
         },
         {
          "name": "Second_IDP_Connector",
          "matchingSource": "%{session.server.idpname}",
          "matchingValue": "idp2.partner.com"
         }
        ],
        "attributeConsumingServices": [
         {
          "name": "First_SAML_ACS",
          "serviceName": "Academic Journals R US",
          "attributes": [
           {
            "name": "Attribute_1",
            "attributeName": "urn:oid:1.3.6.1.4.1.5923.1.1.1.7",
            "attributeFriendlyName": "eduPersonEntitlement",
            "attributeNameFormat": "uri"
           },
           {
            "name": "Attribute_2",
            "attributeName": "urn:oid:2.5.4.42",
            "attributeFriendlyName": "givenName",
            "attributeNameFormat": "uri"
           }
          ]
         }
        ],
        "authCtxClasses": [
            "Password",
         "Kerberos"
        ],
        "authCtxComparisonType": "better",
        "authCtxMethods": [
         "Password",
         "Kerberos"
        ]
       }
      }
     }
    }
   },
   "perRequestConfiguration": {
    "policyType": "PerRequest",
    "policy": {
      "objectContent": {
      "name": "hdp1",
      "languages": ["en"],
      "defaultLanguage": "en",
      "start": {
       "itemType": "http-header-modify",
       "name": "HTTP_headers",
       "caption": "HTTP headers",
       "nextItems": [
         {"itemType": "allow"}
       ],
       "headerEntries": [
        {
         "headerOperation": "insert",
         "headerName": "X-Authenticated-User",
         "headerValue": "%{session.logon.last.username}"
        },
        {
         "headerOperation": "append",
         "headerName": "User-Agent",
         "headerValue": "Mozilla/5.0",
         "headerDelimiter": ";"
        },
        {
         "headerOperation": "replace",
         "headerName": "X-Forwarded-For",
         "headerValue": "%{session.user.clientip}"
        },
        {
         "headerOperation": "remove",
         "headerName": "Cache-Control"
        }
       ],
       "cookieEntries": [
        {
         "cookieOperation": "update",
         "cookieName": "PHPSESSID",
         "cookieValue": "1234"
        },
        {
         "cookieOperation": "delete",
         "cookieName": "mySession"
        }
       ]
      }
     }
    }
   }
  }
 ]
 }

BIG-IP Next Central Manager creates the policy specified by the parameter values used in the body of your POST.

Create a policy with an encrypted assertion¶

Configure a SAML policy with an encrypted assertion if the SP (BIG-IP) requires encrypted assertions from an IdP.

Using BIG-IP Next Central Manager GUI¶

In this example, we use the BIG-IP Next Central Manager user interface to create a new SAML service provider (SP) Access policy with an encrypted assertion.

Log in to BIG-IP Next Central Manager as admin, click the Workspace icon, click Security, and then click Access.
At the top of the screen, click Create.
The Visual Policy Designer (VPD) workspace opens.
At the top of the page, click the icon.
The Create Policy page opens.
Type a Policy Name for the policy.
Scroll through the remaining (optional) properties and revise any value that you want to change from its default setting.
Click Save & Continue.
The Session Properties tab of the Create Policy page opens.
Scroll through the properties on this tab and revise any value that you want to change from its default setting.
Click Save & Continue.
The Logging tab of the Create Policy page opens.
Select the logging level for Traffic Manager.
Select the logging level for Web SSO.
Select the logging level for Access Policy.
Select the logging level for Renderer.
Click Save & Continue.
The Single Sign-On tab of the Create Policy page opens.
To specify a single sign-on method for this policy, click Start Creating, then select a method.
- For details about specifying an HTTP Basic method, see HTTP Basic SSO.
- For details about specifying a Kerberos method, see Kerberos SSO.
Click Save & Continue. The Policy Endings tab of the Create Policy page opens.
Confirm that the policy endings are correctly set and then click Save & Finish.
The VPD workspace opens.
Drag the Basic-SAML-Auth flow into the VPD workspace.
On the Basic-SAML-Auth flow, click the icon.
The flow expands so you can edit it.
Hover the cursor over the SAML_Auth rule inside the Basic-SAML-Auth flow and then click the icon.
The General Properties tab of the Rule Configuration page opens.
Specify General Properties for the policy.
1. For Service Name, type the name for the service.
2. Click Save & Continue.
  The Providers tab opens.
Under Service Providers, click Edit.
The Add Service Provider page opens.
For Audience URI (Entity ID), confirm that the URI for the service is correct.
For Host, confirm that the URL of the website is correct.

Note: The URL must include the scheme & hostname. Host is only required if the entity ID is not in URL format.
Under Security Properties, clear the Sign Authentication Requests checkbox.
From Message Signing Certificate and Key, select a certificate and key pair.
Under Security Properties, select the Want Encrypted Assertion checkbox.
Scroll through the remaining (optional) properties and revise any value that you want to change from its default setting.
Click Save to save the Service Provider settings and return to the Providers tab.
Under Identity Providers, decide whether you are going to specify settings for the provider or import them.
- To specify settings for an identity provider:
  1. Click Start Creating.
    The Add Identity Provider page opens.
  2. For Issuer (Entity ID), type the ID for the identity provider.
  3. For Single Sign-on Service URL, type the URL for this connector.
  4. Click Save.
- To import settings for an identity provider from a file:
  1. Click Import, then select Import from metadata.
    The Import from metadata page opens.
  2. Drag and drop or browse to the file you want to import.
    When you complete your selection, BIG-IP Next Central Manager imports the settings from the file you chose and displays them on screen.
  3. When you are satisfied with the settings, click Save.
- To import settings for an identity provider from a URL:
  1. Click Import, then select Import from URL.
    The Import from URL screen opens.
  2. Enter the URL provided by your identity provider and click Enter.
    BIG-IP Next Central Manager imports the settings from the URL you chose and displays them on screen.
  3. When you are satisfied with the settings, click Save.
On the Providers tab of the Rule Configurations page, click Save & Continue.
The Branches tab of the Rule Configurations page opens.
Under Branches, click Create.
The Branches page opens.
Under Expression, select a Context and a Condition for this branch, then select the option appropriate for the context you selected.
Add any (optional) AND or OR branches needed for the policy, and then click Save & Finish.
On the Branches tab of the Rule Configuration page, click Save & Finish.
The VPD workspace displays the revised policy.
Review the policy in the VPD workspace; then, when you are satisfied with the settings, click Save & Finish to finish creating the policy.
BIG-IP Next Central Manager adds the policy to the Access Policies list.

Note: To deploy this policy with an application, you deploy an application that uses the Access template. When you specify that template as part of application deployment, you choose the policy that you want to deploy with it. For additional details about deploying an application, refer to How to: Manage applications using BIG-IP Next Central Manager and FAST templates.

Using BIG-IP Next Central Manager API¶

In this example, we use the BIG-IP Next Central Manager API to create a new SAML service provider (SP) Access policy with an encrypted assertion.

Authenticate with the BIG-IP Next Central Manager API. For details refer to How to: Authenticate with the BIG-IP Next Central Manager API.

Create the policy by sending a Post to the /api/v1/spaces/default/security/access-policies endpoint.

POST https://{{big-ip_next_cm_mgmt_ip}}/api/v1/spaces/default/security/access-policies

For the API body, use the following, substituting values appropriate for the policy you want to create.

{
    "type": "PerSession",
 "policy_type": "PerSession",
 "name": "SamlPerRequestPolicy",
 "properties": [
  {
   "configuration": {
    "timeout": 0,
    "inactivityTimeout": 0,
    "maxSessionTimeout": 0,
    "policyType": "PerSession",
       "profileType": "ltm-access",
    "scope": "profile",
    "policy": {
     "objectContent": {
      "name": "SAML_SP_configuration",
      "languages": [
      "en",
      "de"
      ],
      "defaultLanguage": "en",
      "caption": "Sample_SAML_SP_Access_Policy",
      "start": {
       "itemType": "saml",
       "name": "SAML_Auth",
       "nextItems": [
        {
         "itemType": "allow",
         "name": "Allow",
         "expression": "expr {[mcget {session.saml.last.result}] == 1}"
        },
        {
         "itemType": "deny",
            "name": "Deny"
        }
       ],
       "service": {
        "name": "Sample_SAML_SP_Service",
        "entityId": "app.f5demo.com",
        "spURI": "https:\\/\\/app.f5demo.com",
        "wantAssertionEncrypted": true,
        "idpConnectors": [
          {
          "name": "First_IDP_Connector",
          "matchingSource": "%{session.server.idpname}",
          "matchingValue": "idp1.partner.com"
         },
         {
          "name": "Second_IDP_Connector",
          "matchingSource": "%{session.server.idpname}",
          "matchingValue": "idp2.partner.com"
         }
        ],
        "attributeConsumingServices": [
         {
          "name": "First_SAML_ACS",
          "serviceName": "Academic Journals R US",
          "attributes": [
           {
            "name": "Attribute_1",
            "attributeName": "urn:oid:1.3.6.1.4.1.5923.1.1.1.7",
            "attributeFriendlyName": "eduPersonEntitlement",
            "attributeNameFormat": "uri"
           },
           {
            "name": "Attribute_2",
            "attributeName": "urn:oid:2.5.4.42",
            "attributeFriendlyName": "givenName",
            "attributeNameFormat": "uri"
           }
          ]
         }
        ],
        "authCtxClasses": [
            "Password",
         "Kerberos"
        ],
        "authCtxComparisonType": "better",
        "authCtxMethods": [
         "Password",
         "Kerberos"
        ]
       }
      }
     }
    }
   },
   "perRequestConfiguration": {
    "policyType": "PerRequest",
    "policy": {
      "objectContent": {
      "name": "hdp1",
      "languages": ["en"],
      "defaultLanguage": "en",
      "start": {
       "itemType": "http-header-modify",
       "name": "HTTP_headers",
       "caption": "HTTP headers",
       "nextItems": [
         {"itemType": "allow"}
       ],
       "headerEntries": [
        {
         "headerOperation": "insert",
         "headerName": "X-Authenticated-User",
         "headerValue": "%{session.logon.last.username}"
        },
        {
         "headerOperation": "append",
         "headerName": "User-Agent",
         "headerValue": "Mozilla/5.0",
         "headerDelimiter": ";"
        },
        {
         "headerOperation": "replace",
         "headerName": "X-Forwarded-For",
         "headerValue": "%{session.user.clientip}"
        },
        {
         "headerOperation": "remove",
         "headerName": "Cache-Control"
        }
       ],
       "cookieEntries": [
        {
         "cookieOperation": "update",
         "cookieName": "PHPSESSID",
         "cookieValue": "1234"
        },
        {
         "cookieOperation": "delete",
         "cookieName": "mySession"
        }
       ]
      }
     }
    }
   }
  }
 ]
 }

BIG-IP Next Central Manager creates the policy specified by the parameter values used in the body of your POST.

Create a policy with an IdP’s assertion verification certificate¶

Configure a SAML policy with an IdP’s assertion verification certificate if the SP (BIG-IP Next) requires signed assertions from an IdP.

Using BIG-IP Next Central Manager GUI¶

In this example, we use the BIG-IP Next Central Manager user interface to create a new SAML service provider (SP) Access policy that uses a signed assertion.

Log in to BIG-IP Next Central Manager as admin, click the Workspace icon, click Security, and then click Access.
At the top of the screen, click Create.
The Visual Policy Designer (VPD) workspace opens.
At the top of the page, click the icon.
The Create Policy page opens.
Type a Policy Name for the policy.
Scroll through the remaining (optional) properties and revise any value that you want to change from its default setting.
Click Save & Continue.
The Session Properties tab of the Create Policy page opens.
Scroll through the properties on this tab and revise any value that you want to change from its default setting.
Click Save & Continue.
The Logging tab of the Create Policy page opens.
Select the logging level for Traffic Manager.
Select the logging level for Web SSO.
Select the logging level for Access Policy.
Select the logging level for Renderer.
Click Save & Continue.
The Single Sign-On tab of the Create Policy page opens.
To specify a single sign-on method for this policy, click Start Creating, then select a method.
- For details about specifying an HTTP Basic method, see HTTP Basic SSO.
- For details about specifying a Kerberos method, see Kerberos SSO.
Click Save & Continue. The Policy Endings tab of the Create Policy page opens.
Confirm that the policy endings are correctly set and then click Save & Finish.
The VPD workspace opens.
Drag the Basic-SAML-Auth flow into the VPD workspace.
On the Basic-SAML-Auth flow, click the icon.
The flow expands so you can edit it.
Hover the cursor over the SAML_Auth rule inside the Basic-SAML-Auth flow and then click the icon.
The General Properties tab of the Rule Configuration page opens.
Specify General Properties for the policy.
1. For Service Name, type the name for the service.
2. Click Save & Continue.
  The Providers tab opens.
Under Service Providers, click Start Creating.
The Add Service Provider page opens.
1. For Audience URI (Entity ID), type the URI for the service.
2. For Host, type the URL for the website.
  
  Note: The URL must include the scheme & hostname. Host is only required if the entity ID is not in URL format.
3. Under Security Properties, clear the Sign Authentication Requests, checkbox.
4. From Message Signing Certificate and Key, select a certificate and key pair.
5. Under Security Properties, clear the Want Encrypted Assertion checkbox.
6. Under Security Properties, select the Want signed Assertion checkbox.
7. Scroll through the remaining (optional) properties and revise any value that you want to change from its default setting.
8. Click Save to return to save the Service Provider settings and return to the Providers tab.
Under Identity Providers, decide whether you are going to specify settings for the provider or import them.
- To specify settings for an identity provider:
  1. Click Start Creating.
    The Add Identity Provider page opens.
  2. For Issuer (Entity ID), type the ID for the identity provider.
  3. For Single Sign-on Service URL, type the URL for this connector.
  4. Click Save.
- To import settings for an identity provider from a file:
  1. Click Import, then select Import from metadata.
    The Import from metadata page opens.
  2. Drag and drop or browse to the file you want to import.
    When you complete your selection, BIG-IP Next Central Manager imports the settings from the file you chose and displays them on screen.
  3. When you are satisfied with the settings, click Save.
- To import settings for an identity provider from a URL:
  1. Click Import, then select Import from URL.
    The Import from URL screen opens.
  2. Enter the URL provided by your identity provider and click Enter.
    BIG-IP Next Central Manager imports the settings from the URL you chose and displays them on screen.
  3. When you are satisfied with the settings, click Save.
On the Providers tab of the Rule Configurations page, click Save & Continue.
The Branches tab of the Rule Configurations page opens.
Under Branches, click Create.
The Branches page opens.
Under Expression, select a Context and a Condition for this branch, then select the option appropriate for the context you selected.
Add any (optional) AND or OR branches needed for the policy, and then click Save & Finish.
On the Branches tab of the Rule Configuration page, click Save & Finish.
The VPD workspace displays the revised policy.
Review the policy in the VPD workspace; then, when you are satisfied with the settings, click Save & Finish to finish creating the policy.
BIG-IP Next Central Manager adds the policy to the Access Policies list.

Note: To deploy this policy with an application, you deploy an application that uses the Access template. When you specify that template as part of application deployment, you choose the policy that you want to deploy with it. For additional details about deploying an application, refer to How to: Manage applications using BIG-IP Next Central Manager and FAST templates.

Using BIG-IP Next Central Manager API¶

In this example, we use the BIG-IP Next Central Manager API to create a new SAML service provider (SP) Access policy with an IdP’s assertion verification certificate.

Authenticate with the BIG-IP Next Central Manager API. For details refer to How to: Authenticate with the BIG-IP Next Central Manager API.

Create the policy by sending a Post to the /api/v1/spaces/default/security/access-policies endpoint.

POST https://{{big-ip_next_cm_mgmt_ip}}/api/v1/spaces/default/security/access-policies

For the API body, use the following, substituting values appropriate for the policy you want to create.

{
 "description": "",
 "name": "SigneAssert",
 "policy_type": "PerSession",
 "properties": [
   {
   "configuration": {
    "policyType": "PerSession",
    "name": "SigneAssert",
    "profileType": "all",
    "scope": "profile",
    "timeout": 300,
    "inactivityTimeout": 900,
    "maxSessionTimeout": 604800,
    "maxConcurrentUsers": 0,
    "maxConcurrentSessions": 0,
    "maxInProgressSessions": 128,
    "minFailureDelay": 2,
    "maxFailureDelay": 5,
    "domainCookie": "",
    "secureCookie": true,
    "persistentCookie": false,
    "httpOnlyCookie": false,
    "samesiteCookie": false,
    "samesiteCookieAttrValue": "strict",
    "restrictToSingleClientIP": false,
    "useHttp503OnError": false,
    "logoutUriInclude": "",
    "logoutUriTimeout": 5,
    "externalServers": [],
    "policy": {
     "objectContent": {
      "type": "PerSession",
      "name": "SigneAssert",
      "defaultLanguage": "en",
      "languages": [
       "en"
      ],
      "start": {
       "itemType": "saml",
       "name": "SigneAssert_item",
       "service": {
        "name": "",
        "description": "",
        "entityId": "http://sign.as.com",
        "acsBinding": "http-post",
        "isAuthnRequestSigned": false,
        "wantAssertionEncrypted": false,
        "wantAssertionSigned": true,
        "authCtxComparisonType": "exact",
        "forceAuthn": false,
        "allowNameIdentifierCreation": true,
        "nameIdFormat": "unspecified",
        "relayState": "",
        "nameIdSpNameQualifier": "",
        "providerName": "",
        "spURI": "http://sign.as.com"
       },
       "nextItems": [
        {
         "name": "Allow",
         "expression": "expr {[mcget {session.saml.last.result}] == 1}",
         "itemType": "allow"
        },
        {
         "name": "Deny",
         "itemType": "deny"
        }
       ]
      }
     }
    }
   }
  }
  ],
 "use_case": "SAML-SP"
}

BIG-IP Next Central Manager creates the policy specified by the parameter values used in the body of your POST.

Create a policy with attribute consuming services¶

Configure a SAML policy with the attribute consuming services if the SP (BIG-IP) requires specific attributes from an IdP.

Using BIG-IP Next Central Manager GUI¶

In this example, we use the BIG-IP Next Central Manager user interface to create a new SAML service provider (SP) Access policy that includes attribute consuming services.

Log in to BIG-IP Next Central Manager as admin, click the Workspace icon, click Security, and then click Access.
At the top of the screen, click Create.
The Visual Policy Designer (VPD) workspace opens.
At the top of the page, click the icon.
The Create Policy page opens.
Type a Policy Name for the policy.
Scroll through the remaining (optional) properties and revise any value that you want to change from its default setting.
Click Save & Continue.
The Session Properties tab of the Create Policy page opens.
Scroll through the properties on this tab and revise any value that you want to change from its default setting.
Click Save & Continue.
The Logging tab of the Create Policy page opens.
Select the logging level for Traffic Manager.
Select the logging level for Web SSO.
Select the logging level for Access Policy.
Select the logging level for Renderer.
Click Save & Continue.
The Single Sign-On tab of the Create Policy page opens.
To specify a single sign-on method for this policy, click Start Creating, then select a method.
- For details about specifying an HTTP Basic method, see HTTP Basic SSO.
- For details about specifying a Kerberos method, see Kerberos SSO.
Click Save & Continue. The Policy Endings tab of the Create Policy page opens.
Confirm that the policy endings are correctly set and then click Save & Finish.
The VPD workspace opens.
Drag the Basic-SAML-Auth flow into the VPD workspace.
On the Basic-SAML-Auth flow, click the icon.
The flow expands so you can edit it.
Hover the cursor over the SAML_Auth rule inside the Basic-SAML-Auth flow and then click the icon.
The General Properties tab of the Rule Configuration page opens.
Specify General Properties for the policy.
1. For Service Name, type the name for the service.
2. Under Service Provider Configuration, select Advanced. Additional fields are displayed.
3. Select the Attribute Consuming Service toggle.
4. Click Save & Continue.
5. Under Service Providers, click Edit. The General Properties tab of the Add Service Provider page opens.
6. For Audience URI (Entity ID), confirm that the URI for the service is correct.
7. For Host, confirm that the URI for the website is correct.
  
  Note: The URL must include the scheme & hostname. Host is only required if the entity ID is not in URL format.
8. Under Security Properties, clear the Sign Authentication Requests, checkbox.
9. From Message Signing Certificate and Key, select a certificate and key pair.
10. Under Security Properties, clear the Want Encrypted Assertion checkbox.
11. Under Security Properties, clear the Want signed Assertion checkbox.
12. Scroll through the remaining (optional) properties and revise any value that you want to change from its default setting.
13. On the left, under Configuration, click the Attribute Consuming Service tab.
14. Under Attribute Consuming Service, Click Add.
  The New Attribute Consuming Service page opens.
15. Type a Name for the attribute consuming service.
16. Under No Attribute Consuming Services, click Add. The New Attribute page opens.
17. Under General Properties, type in a Name for the attribute consuming service.
18. For Attribute Format, select a format for the service.
19. For Friendly Name, type an easy to read name for the service, then click Save.
20. On the Add Service Provider page, click Save to return to save the Service Provider settings and return to the Providers tab.
Under Identity Providers, decide whether you are going to specify settings for the provider or import them.
- To specify settings for an identity provider:
  1. Click Start Creating.
    The Add Identity Provider page opens.
  2. For Issuer (Entity ID), type the ID for the identity provider.
  3. For Single Sign-on Service URL, type the URL for this connector.
  4. Click Save.
- To import settings for an identity provider from a file:
  1. Click Import, then select Import from metadata.
    The Import from metadata page opens.
  2. Drag and drop or browse to the file you want to import.
    When you complete your selection, BIG-IP Next Central Manager imports the settings from the file you chose and displays them on screen.
  3. When you are satisfied with the settings, click Save.
- To import settings for an identity provider from a URL:
  1. Click Import, then select Import from URL.
    The Import from URL screen opens.
  2. Enter the URL provided by your identity provider and click Enter.
    BIG-IP Next Central Manager imports the settings from the URL you chose and displays them on screen.
  3. When you are satisfied with the settings, click Save.
On the Providers tab of the Rule Configurations page, click Save & Continue.
The Branches tab of the Rule Configurations page opens.
Under Branches, click Create.
The Branches page opens.
Under Expression, select a Context and a Condition for this branch, then select the option appropriate for the context you selected.
Add any (optional) AND or OR branches needed for the policy, and then click Save & Finish.
On the Branches tab of the Rule Configuration page, click Save & Finish.
The VPD workspace displays the revised policy.
Review the policy in the VPD workspace; then, when you are satisfied with the settings, click Save & Finish to finish creating the policy.
BIG-IP Next Central Manager adds the policy to the Access Policies list.

Note: To deploy this policy with an application, you deploy an application that uses the Access template. When you specify that template as part of application deployment, you choose the policy that you want to deploy with it. For additional details about deploying an application, refer to How to: Manage applications using BIG-IP Next Central Manager and FAST templates.

Using BIG-IP Next Central Manager API¶

In this example, we use the BIG-IP Next Central Manager API to create a new SAML service provider (SP) Access policy with an attribute consuming service.

Authenticate with the BIG-IP Next Central Manager API. For details refer to How to: Authenticate with the BIG-IP Next Central Manager API.

Create the policy by sending a Post to the /api/v1/spaces/default/security/access-policies endpoint.

POST https://{{big-ip_next_cm_mgmt_ip}}/api/v1/spaces/default/security/access-policies

For the API body, use the following, substituting values appropriate for the policy you want to create.

{
 "description": "",
 "name": "SigneAssert",
 "policy_type": "PerSession",
 "properties": [
   {
   "configuration": {
    "policyType": "PerSession",
    "name": "SigneAssert",
    "profileType": "all",
    "scope": "profile",
    "timeout": 300,
    "inactivityTimeout": 900,
    "maxSessionTimeout": 604800,
    "maxConcurrentUsers": 0,
    "maxConcurrentSessions": 0,
    "maxInProgressSessions": 128,
    "minFailureDelay": 2,
    "maxFailureDelay": 5,
    "domainCookie": "",
    "secureCookie": true,
    "persistentCookie": false,
    "httpOnlyCookie": false,
    "samesiteCookie": false,
    "samesiteCookieAttrValue": "strict",
    "restrictToSingleClientIP": false,
    "useHttp503OnError": false,
    "logoutUriInclude": "",
    "logoutUriTimeout": 5,
    "externalServers": [],
    "policy": {
     "objectContent": {
      "type": "PerSession",
      "name": "SigneAssert",
      "defaultLanguage": "en",
      "languages": [
       "en"
      ],
      "start": {
       "itemType": "saml",
       "name": "SigneAssert_item",
       "service": {
        "name": "",
        "description": "",
        "entityId": "http://sign.as.com",
        "acsBinding": "http-post",
        "isAuthnRequestSigned": false,
        "wantAssertionEncrypted": false,
        "wantAssertionSigned": true,
        "authCtxComparisonType": "exact",
        "forceAuthn": false,
        "allowNameIdentifierCreation": true,
        "nameIdFormat": "unspecified",
        "relayState": "",
        "nameIdSpNameQualifier": "",
        "providerName": "",
        "spURI": "http://sign.as.com"
       },
       "nextItems": [
        {
         "name": "Allow",
         "expression": "expr {[mcget {session.saml.last.result}] == 1}",
         "itemType": "allow"
        },
        {
         "name": "Deny",
         "itemType": "deny"
        }
       ]
      }
     }
    }
   }
  }
  ],
 "use_case": "SAML-SP"
}

BIG-IP Next Central Manager creates the policy specified by the parameter values used in the body of your POST.

Create a policy with authentication context classes¶

Configure a SAML policy with the authentication context classes if the SP (BIG-IP) uses them to validate the authentication context in the assertion from an IdP.

Using BIG-IP Next Central Manager GUI¶

In this example, we use the BIG-IP Next Central Manager user interface to create a new SAML service provider (SP) Access policy that uses authentication context classes to validate the authentication context in the assertion from an IdP.

Log in to BIG-IP Next Central Manager as admin, click the Workspace icon, click Security, and then click Access.
At the top of the screen, click Create.
The Visual Policy Designer (VPD) workspace opens.
At the top of the page, click the icon.
The Create Policy page opens.
Type a Policy Name for the policy.
Scroll through the remaining (optional) properties and revise any value that you want to change from its default setting.
Click Save & Continue.
The Session Properties tab of the Create Policy page opens.
Scroll through the properties on this tab and revise any value that you want to change from its default setting.
Click Save & Continue.
The Logging tab of the Create Policy page opens.
Select the logging level for Traffic Manager.
Select the logging level for Web SSO.
Select the logging level for Access Policy.
Select the logging level for Renderer.
Click Save & Continue.
The Single Sign-On tab of the Create Policy page opens.
To specify a single sign-on method for this policy, click Start Creating, then select a method.
- For details about specifying an HTTP Basic method, see HTTP Basic SSO.
- For details about specifying a Kerberos method, see Kerberos SSO.
Click Save & Continue. The Policy Endings tab of the Create Policy page opens.
Confirm that the policy endings are correctly set and then click Save & Finish.
The VPD workspace opens.
Drag the Basic-SAML-Auth flow into the VPD workspace.
On the Basic-SAML-Auth flow, click the icon.
The flow expands so you can edit it.
Hover the cursor over the SAML_Auth rule inside the Basic-SAML-Auth flow and then click the icon.
The General Properties tab of the Rule Configuration page opens.
Specify General Properties for the policy.
1. For Service Name, type the name for the service.
2. Under Service Provider Configuration, select Advanced.
  Additional fields are displayed.
3. Select the Authentication Context Classes toggle.
4. Click Save & Continue.
5. Under Service Providers, click Edit.
  The Add Service Provider page opens.
6. For Audience URI (Entity ID), confirm the URI for the service is correct.
7. For Host, confirm the name of the URI of the website is correct.
  
  Note: The URL must include the scheme & hostname. Host is only required if the entity ID is not in URL format.
8. Under Security Properties, clear the Sign Authentication Requests, checkbox.
9. From Message Signing Certificate and Key, select a certificate and key pair.
10. Under Security Properties, clear the Want Encrypted Assertion checkbox.
11. Under Security Properties, clear the Want signed Assertion checkbox.
12. Scroll through the remaining (optional) properties and revise any value that you want to change from its default setting.
13. Click Save to return to save the Service Provider settings and return to the Providers tab.
Under Identity Providers, decide whether you are going to specify settings for the provider or import them.
- To specify settings for an identity provider:
  1. Click Start Creating.
    The Add Identity Provider page opens.
  2. For Issuer (Entity ID), type the ID for the identity provider.
  3. For Single Sign-on Service URL, type the URL for this connector.
  4. Click Save.
- To import settings for an identity provider from a file:
  1. Click Import, then select Import from metadata.
    The Import from metadata page opens.
  2. Drag and drop or browse to the file you want to import.
    When you complete your selection, BIG-IP Next Central Manager imports the settings from the file you chose and displays them on screen.
  3. When you are satisfied with the settings, click Save.
- To import settings for an identity provider from a URL:
  1. Click Import, then select Import from URL.
    The Import from URL screen opens.
  2. Enter the URL provided by your identity provider and click Enter.
    BIG-IP Next Central Manager imports the settings from the URL you chose and displays them on screen.
  3. When you are satisfied with the settings, click Save.
On the Providers tab of the Rule Configurations page, click Save & Continue.
The Branches tab of the Rule Configurations page opens.
Under Branches, click Create.
The Branches page opens.
Under Expression, select a Context and a Condition for this branch, then select the option appropriate for the context you selected.
Add any (optional) AND or OR branches needed for the policy, and then click Save & Finish.
On the Branches tab of the Rule Configuration page, click Save & Finish.
The VPD workspace displays the revised policy.
Review the policy in the VPD workspace; then, when you are satisfied with the settings, click Save & Finish to finish creating the policy.
BIG-IP Next Central Manager adds the policy to the Access Policies list.

Note: To deploy this policy with an application, you deploy an application that uses the Access template. When you specify that template as part of application deployment, you choose the policy that you want to deploy with it. For additional details about deploying an application, refer to How to: Manage applications using BIG-IP Next Central Manager and FAST templates.

Using BIG-IP Next Central Manager API¶

In this example, we use the BIG-IP Next Central Manager API to create a new SAML service provider (SP) Access policy with authentication context classes.

Authenticate with the BIG-IP Next Central Manager API. For details refer to How to: Authenticate with the BIG-IP Next Central Manager API.

Create the policy by sending a Post to the /api/v1/spaces/default/security/access-policies endpoint.

POST https://{{big-ip_next_cm_mgmt_ip}}/api/v1/spaces/default/security/access-policies

For the API body, use the following, substituting values appropriate for the policy you want to create.

{
 "description": "",
 "name": "Policy2",
 "policy_type": "PerSession",
 "properties": [
   {
    "configuration": {
     "policyType": "PerSession",
     "name": "Policy2",
     "profileType": "all",
     "scope": "profile",
     "timeout": 300,
     "inactivityTimeout": 900,
     "maxSessionTimeout": 604800,
     "maxConcurrentUsers": 0,
     "maxConcurrentSessions": 0,
     "maxInProgressSessions": 128,
     "minFailureDelay": 2,
     "maxFailureDelay": 5,
     "domainCookie": "",
     "secureCookie": true,
     "persistentCookie": false,
     "httpOnlyCookie": false,
     "samesiteCookie": false,
     "samesiteCookieAttrValue": "strict",
     "restrictToSingleClientIP": false,
     "useHttp503OnError": false,
     "logoutUriInclude": "",
     "logoutUriTimeout": 5,
     "externalServers": [
     {
      "entityId": "http://entity2.com",
      "name": "Connector1",
      "serverType": "SamlIdPConnector",
      "ssoUri": "http://acme1.com",
      "wantAuthnRequestSigned": false,
      "wantDetachedSignature": false,
      "identityLocation": "subject",
      "signatureType": "sha256",
      "singleLogoutBinding": "http-post",
      "ssoBinding": "http-post"
     }
    ],
    "policy": {
     "objectContent": {
      "type": "PerSession",
      "name": "Policy2",
      "defaultLanguage": "en",
      "languages": [
       "en"
      ],
      "start": {
       "itemType": "saml",
       "name": "Policy2_item",
       "service": {
        "name": "",
        "description": "",
        "entityId": "http://entity2.com",
        "acsBinding": "http-post",
        "isAuthnRequestSigned": false,
        "wantAssertionEncrypted": false,
        "wantAssertionSigned": true,
        "authCtxComparisonType": "exact",
        "forceAuthn": false,
        "allowNameIdentifierCreation": true,
        "nameIdFormat": "unspecified",
        "relayState": "",
        "nameIdSpNameQualifier": "",
        "providerName": "",
        "spURI": "http://entity2.com",
        "idpConnectors": [
         {
          "name": "Connector1"
         }
        ]
       },
       "nextItems": [
        {
         "name": "Allow",
         "expression": "expr {[mcget {session.saml.last.result}] == 1}",
         "itemType": "allow"
        },
        {
         "name": "Deny",
         "itemType": "deny"
        }
       ]
      }
     }
    }
   }
  }
 ],
 "use_case": "SAML-SP"
}

BIG-IP Next Central Manager creates the policy specified by the parameter values used in the body of your POST.

Create a policy with an artifact resolution service¶

An artifact resolution service (ARS) configures handlers responsible for resolving SAML 2.0 artifacts into protocol messages. Configure a SAML policy with an artifact resolution service if the SP (BIG-IP) is required to exchange an artifact for an assertion.

Using BIG-IP Next Central Manager GUI¶

In this example, we use the BIG-IP Next Central Manager user interface to create a new SAML service provider (SP) Access policy that uses an artifact resolution service.

Log in to BIG-IP Next Central Manager as admin, click the Workspace icon, click Security, and then click Access.
At the top of the screen, click Create.
The Visual Policy Designer (VPD) workspace opens.
At the top of the page, click the icon.
The Create Policy page opens.
Type a Policy Name for the policy.
Scroll through the remaining (optional) properties and revise any value that you want to change from its default setting.
Click Save & Continue.
The Session Properties tab of the Create Policy page opens.
Scroll through the properties on this tab and revise any value that you want to change from its default setting.
Click Save & Continue.
The Logging tab of the Create Policy page opens.
Select the logging level for Traffic Manager.
Select the logging level for Web SSO.
Select the logging level for Access Policy.
Select the logging level for Renderer.
Click Save & Continue.
The Single Sign-On tab of the Create Policy page opens.
To specify a single sign-on method for this policy, click Start Creating, then select a method.
- For details about specifying an HTTP Basic method, see HTTP Basic SSO.
- For details about specifying a Kerberos method, see Kerberos SSO.
Click Save & Continue. The Policy Endings tab of the Create Policy page opens.
Confirm that the policy endings are correctly set and then click Save & Finish.
The VPD workspace opens.
Drag the Basic-SAML-Auth flow into the VPD workspace.
On the Basic-SAML-Auth flow, click the icon.
The flow expands so you can edit it.
Hover the cursor over the SAML_Auth rule inside the Basic-SAML-Auth flow and then click the icon.
The General Properties tab of the Rule Configuration page opens.
Specify General Properties for the policy.
1. For Service Name, type the name for the service.
2. Under Service Provider Configuration, select Advanced.
  Additional fields are displayed.
3. Clear the Authentication Context Classes toggle.
4. Click Save & Continue.
5. Under Service Providers, click Edit.
  The Add Service Provider page opens.
6. For Audience URI (Entity ID), confirm the URI for the service is correct.
7. For Host, confirm the name of the URI of the website is correct.
  
  Note: The URL must include the scheme & hostname. Host is only required if the entity ID is not in URL format.
8. Under Security Properties, clear the Sign Authentication Requests, checkbox.
9. From Message Signing Certificate and Key, select a certificate and key pair.
10. Under Security Properties, clear the Want Encrypted Assertion checkbox.
11. Under Security Properties, clear the Want signed Assertion checkbox.
12. Scroll through the remaining (optional) properties and revise any value that you want to change from its default setting.
13. Click Save to return to save the Service Provider settings and return to the Providers tab.
Under Identity Providers, decide whether you are going to specify settings for the provider or import them.
- To specify settings for an identity provider:
  1. Click Start Creating.
    The Add Identity Provider page opens.
  2. For Issuer (Entity ID), type the ID for the identity provider.
  3. For Single Sign-on Service URL, type the URL for this connector.
  4. Click Save & Continue.
    The Artifact Resolution Service tab of the Configuration page displays; proceed to the next step.
- To import settings for an identity provider from a file:
  1. Click Import, then select Import from metadata.
    The Import from metadata page opens.
  2. Drag and drop or browse to the file you want to import.
    When you complete your selection, BIG-IP Next Central Manager imports the settings from the file you chose and displays them on screen.
  3. When you are satisfied with the settings, click Save & Continue.
    The Artifact Resolution Service tab of the Configuration page displays; proceed to the next step.
- To import settings for an identity provider from a URL:
  1. Click Import, then select Import from URL.
    The Import from URL screen opens.
  2. Enter the URL provided by your identity provider and click Enter.
    BIG-IP Next Central Manager imports the settings from the URL you chose and displays them on screen.
  3. When you are satisfied with the settings, click Save & Continue.
    The Artifact Resolution Service tab of the Configuration page displays; proceed to the next step.
Under Artifact Resolution Service, type the Location URL for this artifact resolution service.
Click Yes or No** to specify whether the artifact resolution request must be signed or not.
Type a Username and Password for this artifact resolution service.
Click Save & Continue.
The Providers tab of the Rule Configurations page displays.
On the Providers tab of the Rule Configurations page, click Save & Continue.
The Branches tab of the Rule Configurations page opens.
Under Branches, click Create.
The Branches page opens.
Under Expression, select a Context and a Condition for this branch, then select the option appropriate for the context you selected.
Add any (optional) AND or OR branches needed for the policy, and then click Save & Finish.
On the Branches tab of the Rule Configuration page, click Save & Finish.
The VPD workspace displays the revised policy.
Review the policy in the VPD workspace; then, when you are satisfied with the settings, click Save & Finish to finish creating the policy.
BIG-IP Next Central Manager adds the policy to the Access Policies list.

Note: To deploy this policy with an application, you deploy an application that uses the Access template. When you specify that template as part of application deployment, you choose the policy that you want to deploy with it. For additional details about deploying an application, refer to How to: Manage applications using BIG-IP Next Central Manager and FAST templates.

Using BIG-IP Next Central Manager API¶

In this example, we use the BIG-IP Next Central Manager API to create a new SAML service provider (SP) Access policy with authentication context classes.

Authenticate with the BIG-IP Next Central Manager API. For details refer to How to: Authenticate with the BIG-IP Next Central Manager API.

Create the policy by sending a Post to the /api/v1/spaces/default/security/access-policies endpoint.

POST https://{{big-ip_next_cm_mgmt_ip}}/api/v1/spaces/default/security/access-policies

For the API body, use the following, substituting values appropriate for the policy you want to create.

{
 "description": "Policy 7",
 "name": "Policy7",
 "policy_type": "PerSession",
 "properties": [
  {
   "configuration": {
    "policyType": "PerSession",
    "name": "Policy7",
    "profileType": "all",
    "scope": "profile",
    "timeout": 300,
    "inactivityTimeout": 900,
    "maxSessionTimeout": 604800,
    "maxConcurrentUsers": 0,
    "maxConcurrentSessions": 0,
    "maxInProgressSessions": 128,
    "minFailureDelay": 2,
    "maxFailureDelay": 5,
    "domainCookie": "",
    "secureCookie": true,
    "persistentCookie": false,
    "httpOnlyCookie": false,
    "samesiteCookie": false,
    "samesiteCookieAttrValue": "strict",
    "restrictToSingleClientIP": false,
    "useHttp503OnError": false,
    "logoutUriInclude": "",
    "logoutUriTimeout": 5,
    "externalServers": [
     {
      "entityId": "http://entity7.com",
      "name": "artifactConnect",
      "serverType": "SamlIdPConnector",
      "ssoUri": "http://acme.com",
      "wantAuthnRequestSigned": false,
      "wantDetachedSignature": false,
      "identityLocation": "subject",
      "signatureType": "sha256",
      "singleLogoutBinding": "http-post",
      "ssoBinding": "http-post"
     }
    ],
    "policy": {
     "objectContent": {
      "type": "PerSession",
      "name": "Policy7",
      "defaultLanguage": "en",
      "languages": [
       "en"
      ],
      "start": {
       "itemType": "saml",
       "name": "Policy7_item",
       "service": {
        "name": "",
           "description": "",
           "entityId": "http://artifact.entry.com",
        "acsBinding": "http-post",
        "isAuthnRequestSigned": false,
        "wantAssertionEncrypted": false,
        "wantAssertionSigned": true,
        "authCtxComparisonType": "exact",
        "forceAuthn": false,
        "allowNameIdentifierCreation": true,
        "nameIdFormat": "unspecified",
        "relayState": "",
        "nameIdSpNameQualifier": "",
        "providerName": "",
        "spURI": "http://acme.com",
        "idpConnectors": [
         {
          "name": "artifactConnect"
         }
           ]
       },
       "nextItems": [
        {
         "name": "Allow",
         "expression": "expr {[mcget {session.saml.last.result}] == 1}",
            "itemType": "allow"
        },
           {
         "name": "Deny",
         "itemType": "deny"
              }
       ]
         }
     }
    }
   }
  }
 ],
 "use_case": "SAML-SP"
}

BIG-IP Next Central Manager creates the policy specified by the parameter values used in the body of your POST.

Create a policy with multiple IdP connectors¶

You might bind multiple IdP connectors to an SP service on BIG-IP Next when you provide services to different businesses and universities, each of which specifies an IdP to identify their users. When the user’s information arrives at the SP service on BIG-IP Next, the SP service identifies the correct IdP. Then, it redirects the user to authenticate against that IdP before the SP service provides access to the service. The BIG-IP Next Access chooses the correct IdP connector at run time through a filtering and matching process called IdP discovery.

The typical Access policy on BIG-IP Next configured as an SP, presents a logon page to the user. The Logon Page agent populates session variables. You can customize the Logon Page agent and affect its session variable values. The SAML Auth agent specifying an AAA service that requests authentication from an external IdP follows the logon page.

Tree-structure SAML with logon

Using BIG-IP Next Central Manager GUI¶

In this use case, the IdP selection is based on the user’s information without displaying a logon page.

Log in to BIG-IP Next Central Manager as admin, click the Workspace icon, click Security, and then click Access.
At the top of the screen, click Create.
The Visual Policy Designer (VPD) workspace opens.
At the top of the page, click the icon.
The Create Policy page opens.
Type a Policy Name for the policy.
Scroll through the remaining (optional) properties and revise any value that you want to change from its default setting.
Click Save & Continue.
The Session Properties tab of the Create Policy page opens.
Scroll through the properties on this tab and revise any value that you want to change from its default setting.
Click Save & Continue.
The Logging tab of the Create Policy page opens.
Select the logging level for Traffic Manager.
Select the logging level for Web SSO.
Select the logging level for Access Policy.
Select the logging level for Renderer.
Click Save & Continue.
The Single Sign-On tab of the Create Policy page opens.
To specify a single sign-on method for this policy, click Start Creating, then select a method.
- For details about specifying an HTTP Basic method, see HTTP Basic SSO.
- For details about specifying a Kerberos method, see Kerberos SSO.
Click Save & Continue. The Policy Endings tab of the Create Policy page opens.
Confirm that the policy endings are correctly set and then click Save & Finish.
The VPD workspace opens.
Drag the Basic-SAML-Auth flow into the VPD workspace.
On the Basic-SAML-Auth flow, click the icon.
The flow expands so you can edit it.
Hover the cursor over the SAML_Auth rule inside the Basic-SAML-Auth flow and then click the icon.
The General Properties tab of the Rule Configuration page opens.
For Service Name, type the name for the service.
Under Service Provider Configuration, select Advanced. Additional fields are displayed.
Select the Multiple Identity Providers toggle.
Click Save & Continue.
Under Identity Providers, decide whether you are going to specify settings for the provider or import them.
- To specify settings for an identity provider:
  1. Click Start Creating.
    The Add Identity Provider page opens.
  2. For Issuer (Entity ID), type the ID for the identity provider.
  3. For Single Sign-on Service URL, type the URL for this connector.
  4. Click Save.
- To import settings for an identity provider from a file:
  1. Click Import, then select Import from metadata.
    The Import from metadata page opens.
  2. Drag and drop or browse to the file you want to import.
    When you complete your selection, BIG-IP Next Central Manager imports the settings from the file you chose and displays them on screen.
  3. When you are satisfied with the settings, click Save.
- To import settings for an identity provider from a URL:
  1. Click Import, then select Import from URL.
    The Import from URL screen opens.
  2. Enter the URL provided by your identity provider and click Enter.
    BIG-IP Next Central Manager imports the settings from the URL you chose and displays them on screen.
  3. When you are satisfied with the settings, click Save.
    The Providers tab of the Rule Configuration page displays.
From the button, select the option you want to use for adding the second connector.
Repeat the last several steps to add additional connectors, and then click Save.
When you finish adding the connectors needed for this policy, on the Connectors tab of the Identity Providers screen, click Save & Continue.
The Bindings tab of the Configuration page opens.
On the Bindings tab of the Identity Providers screen:
1. For the first IdP Connector Matching Source, type the value or session variable that the first IdP Connector uses.
2. For the first IdP Connector Matching Value, type the value or session variable that the first IdP Connector uses.
3. For the second IdP Connector Matching Source, type the value or session variable that the second IdP Connector uses.
4. For the second IdP Connector Matching Value, type the value or session variable that the second IdP Connector uses.
5. Click Save & Finish.
On the Providers tab of the Rule Configurations page, click Save & Continue.
The Branches tab of the Rule Configurations page opens.
Under Branches, click Create.
The Branches page opens.
Under Expression, select a Context and a Condition for this branch, then select the option appropriate for the context you selected.
Add any (optional) AND or OR branches needed for the policy, and then click Save & Finish.
On the Branches tab of the Rule Configuration page, click Save & Finish.
The VPD workspace displays the revised policy.
Review the policy in the VPD workspace; then, when you are satisfied with the settings, click Save & Finish to finish creating the policy.
BIG-IP Next Central Manager adds the policy to the Access Policies list.

Note: To deploy this policy with an application, you deploy an application that uses the Access template. When you specify that template as part of application deployment, you choose the policy that you want to deploy with it. For additional details about deploying an application, refer to How to: Manage applications using BIG-IP Next Central Manager and FAST templates.

Using BIG-IP Next Central Manager API¶

In this example, we use the BIG-IP Next Central Manager API to create a new SAML service provider (SP) Access policy with multiple IdP connectors.

Authenticate with the BIG-IP Next Central Manager API. For details refer to How to: Authenticate with the BIG-IP Next Central Manager API.

Create the policy by sending a Post to the /api/v1/spaces/default/security/access-policies endpoint.

POST https://{{big-ip_next_cm_mgmt_ip}}/api/v1/spaces/default/security/access-policies

For the API body, use the following, substituting values appropriate for the policy you want to create.

 {
 "description": "Multiple IDP Connectors",
 "name": "Multiple-IDP",
 "policy_type": "PerSession",
 "properties": [
  {
   "configuration": {
    "policyType": "PerSession",
    "name": "Multiple-IDP",
    "profileType": "all",
    "scope": "profile",
    "timeout": 300,
    "inactivityTimeout": 900,
    "maxSessionTimeout": 604800,
    "maxConcurrentUsers": 0,
    "maxConcurrentSessions": 0,
    "maxInProgressSessions": 128,
    "minFailureDelay": 2,
    "maxFailureDelay": 5,
    "domainCookie": "",
    "secureCookie": true,
    "persistentCookie": false,
    "httpOnlyCookie": false,
    "samesiteCookie": false,
    "samesiteCookieAttrValue": "strict",
    "restrictToSingleClientIP": false,
    "useHttp503OnError": false,
    "logoutUriInclude": "",
    "logoutUriTimeout": 5,
    "externalServers": [
     {
      "entityId": "http://entity3.com",
      "name": "Connector2",
      "serverType": "SamlIdPConnector",
      "ssoUri": "http://acme.com",
      "wantAuthnRequestSigned": false,
      "wantDetachedSignature": false,
      "identityLocation": "subject",
      "signatureType": "sha256",
      "singleLogoutBinding": "http-post",
      "ssoBinding": "http-post"
     },
     {
      "entityId": "http://entity4",
      "name": "Connector4",
      "serverType": "SamlIdPConnector",
      "ssoUri": "http://acme.com",
      "wantAuthnRequestSigned": false,
      "wantDetachedSignature": false,
      "identityLocation": "subject",
      "signatureType": "sha256",
      "singleLogoutBinding": "http-post",
      "ssoBinding": "http-post"
     }
    ],
    "policy": {
     "objectContent": {
      "type": "PerSession",
      "name": "Multiple-IDP",
      "defaultLanguage": "en",
      "languages": [
       "en"
      ],
      "start": {
       "itemType": "saml",
       "name": "Multiple-IDP_item",
       "service": {
        "name": "",
        "description": "",
        "entityId": "http://entity3",
        "acsBinding": "http-post",
        "isAuthnRequestSigned": false,
        "wantAssertionEncrypted": false,
        "wantAssertionSigned": true,
        "authCtxComparisonType": "exact",
        "forceAuthn": false,
        "allowNameIdentifierCreation": true,
        "nameIdFormat": "unspecified",
        "relayState": "",
        "nameIdSpNameQualifier": "",
        "providerName": "",
        "spURI": "http://acme.com",
        "idpConnectors": [
         {
          "name": "Connector2",
          "matchingSource": "source1",
          "matchingValue": "value1"
         },
         {
          "name": "Connector4",
          "matchingSource": "source4",
          "matchingValue": "value4"
         }
        ]
       },
       "nextItems": [
        {
         "name": "Allow",
         "expression": "expr {[mcget {session.saml.last.result}] == 1}",
         "itemType": "allow"
        },
        {
         "name": "Deny",
         "itemType": "deny"
        }
       ]
      }
     }
    }
   }
  }
 ],
 "use_case": "SAML-SP"
}

BIG-IP Next Central Manager creates the policy specified by the parameter values used in the body of your POST.

Create a policy with Kerberos SSO¶

Single Sign-On (SSO) leverages credential caching and proxying to allow users to access multiple applications using one set of credentials. To use Kerberos SSO, you must have Kerberos configured in your environment and must create a delegation account in Microsoft Active Directory.

Refer to the Overview of Kerberos constrained delegation link for instructions on creating a delegation account.

For up-to-date instructions on configuring the Kerberos delegation, refer to the Microsoft documentation.

Using BIG-IP Next Central Manager GUI¶

Log in to BIG-IP Next Central Manager as admin, click the Workspace icon, click Security, and then click Access.
At the top of the screen, click Create.
The Visual Policy Designer (VPD) workspace opens.
At the top of the page, click the icon.
The Create Policy page opens.
Type a Policy Name for the policy.
Scroll through the remaining (optional) properties and revise any value that you want to change from its default setting.
Click Save & Continue.
The Session Properties tab of the Create Policy page opens.
Scroll through the properties on this tab and revise any value that you want to change from its default setting.
Click Save & Continue.
The Logging tab of the Create Policy page opens.
Select the logging level for Traffic Manager.
Select the logging level for Web SSO.
Select the logging level for Access Policy.
Select the logging level for Renderer.
Click Save & Continue.
The Single Sign-On tab of the Create Policy page opens.
To specify a single sign-on method for this policy, click Start Creating, then select a method.
- For details about specifying an HTTP Basic method, see HTTP Basic SSO.
- For details about specifying a Kerberos method, see Kerberos SSO.
Click Save & Continue. The Policy Endings tab of the Create Policy page opens.
Confirm that the policy endings are correctly set and then click Save & Finish.
The VPD workspace opens.
Drag the Basic-SAML-Auth flow into the VPD workspace.
On the Basic-SAML-Auth flow, click the icon.
The flow expands so you can edit it.
Hover the cursor over the SAML_Auth rule and then click the icon.
The General Properties tab of the Rule Configuration page opens.
Specify General Properties for the policy.
1. For Service Name, type the name for the service.
2. Click Save & Continue.
  The Providers tab opens.
Under Service Providers, click Edit. The Add Service Provider page opens.
For Audience URI (Entity ID), confirm that the URI for the service is correct.
For Host, confirm that the URl for the website is correct.

Note: The URL must include the scheme & hostname. Host is only required if the entity ID is not in URL format.
Scroll through the remaining (optional) properties and revise any value that you want to change from its default setting.
Click Save to save the Service Provider settings and return to the Providers tab.
Under Identity Providers, decide whether you are going to specify settings for the provider or import them.
- To specify settings for an identity provider:
  1. Click Start Creating.
    The Add Identity Provider page opens.
  2. For Issuer (Entity ID), type the ID for the identity provider.
  3. For Single Sign-on Service URL, type the URL for this connector.
  4. Click Save.
- To import settings for an identity provider from a file:
  1. Click Import, then select Import from metadata.
    The Import from metadata page opens.
  2. Drag and drop or browse to the file you want to import.
    When you complete your selection, BIG-IP Next Central Manager imports the settings from the file you chose and displays them on screen.
  3. When you are satisfied with the settings, click Save.
- To import settings for an identity provider from a URL:
  1. Click Import, then select Import from URL.
    The Import from URL screen opens.
  2. Enter the URL provided by your identity provider and click Enter.
    BIG-IP Next Central Manager imports the settings from the URL you chose and displays them on screen.
  3. When you are satisfied with the settings, click Save.
On the Providers tab of the Rule Configurations page, click Save & Continue.
The Branches tab of the Rule Configurations page opens.
Under Branches, click Create.
The Branches page opens.
Under Expression, select a Context and a Condition for this branch, then select the option appropriate for the context you selected.
Add any (optional) AND or OR branches needed for the policy, and then click Save & Finish.
On the Branches tab of the Rule Configuration page, click Save & Finish.
The VPD workspace displays the revised policy.
Review the policy in the VPD workspace; then, when you are satisfied with the settings, click Save & Finish to finish creating the policy.
BIG-IP Next Central Manager adds the policy to the Access Policies list.

Using BIG-IP Next Central Manager API¶

In this example, we use the BIG-IP Next Central Manager API to create a new SAML service provider (SP) Access policy with Kerberos.

Authenticate with the BIG-IP Next Central Manager API. For details refer to How to: Authenticate with the BIG-IP Next Central Manager API.

Create the policy by sending a Post to the /api/v1/spaces/default/security/access-policies endpoint.

POST https://{{big-ip_next_cm_mgmt_ip}}/api/v1/spaces/default/security/access-policies

For the API body, use the following, substituting values appropriate for the policy you want to create.

 {
 "description": "Kerberos Policy",
 "name": "KerberosPolicy",
 "policy_type": "PerSession",
 "properties": [
  {
   "configuration": {
    "policyType": "PerSession",
    "name": "KerberosPolicy",
    "profileType": "all",
    "scope": "profile",
    "timeout": 300,
    "inactivityTimeout": 900,
    "maxSessionTimeout": 604800,
    "maxConcurrentUsers": 0,
    "maxConcurrentSessions": 0,
    "maxInProgressSessions": 128,
    "minFailureDelay": 2,
    "maxFailureDelay": 5,
    "domainCookie": "",
    "secureCookie": true,
    "persistentCookie": false,
    "httpOnlyCookie": false,
    "samesiteCookie": false,
    "samesiteCookieAttrValue": "strict",
    "restrictToSingleClientIP": false,
    "useHttp503OnError": false,
    "logoutUriInclude": "",
    "logoutUriTimeout": 5,
    "externalServers": [
     {
      "entityId": "http:",
      "name": "asdfasdf",
      "serverType": "SamlIdPConnector",
      "ssoUri": "http:",
      "wantAuthnRequestSigned": false,
      "wantDetachedSignature": false,
      "identityLocation": "subject",
      "signatureType": "sha256",
      "singleLogoutBinding": "http-post",
      "ssoBinding": "http-post"
     }
    ],
    "policy": {
     "objectContent": {
      "type": "PerSession",
      "name": "KerberosPolicy",
      "defaultLanguage": "en",
      "languages": [
       "en"
      ],
      "start": {
       "itemType": "saml",
       "name": "KerberosPolicy_item",
       "service": {
        "name": "",
        "description": "",
        "entityId": "http://entity6",
        "acsBinding": "http-post",
        "isAuthnRequestSigned": false,
        "wantAssertionEncrypted": true,
        "wantAssertionSigned": true,
        "authCtxComparisonType": "exact",
        "forceAuthn": false,
        "allowNameIdentifierCreation": true,
        "nameIdFormat": "unspecified",
        "relayState": "",
        "nameIdSpNameQualifier": "",
        "providerName": "",
        "spURI": "http://acme.com",
        "decryptionCertificate": "myCert1.crt",
        "decryptionKey": "myCert1.pem",
        "idpConnectors": [
         {
          "name": "asdfasdf"
         }
        ]
       },
       "nextItems": [
        {
         "name": "Allow",
         "expression": "expr {[mcget {session.saml.last.result}] == 1}",
         "itemType": "allow"
        },
        {
         "name": "Deny",
         "itemType": "deny"
        }
       ]
      }
     }
    },
    "ssos": [
     {
      "ssoType": "Kerberos",
      "usernameSource": "session.sso.token.last.username1",
      "realm": "http://Realm1.com",
      "kdc": "19.19.19.19",
      "upn": false,
      "ticketLifetime": 600,
      "sendAuthorization": "always",
      "accountName": "Acme Security",
      "accountPassword": "password",
      "spnPattern": "",
      "domainSource": "session.logon.last.domain1"
     }
    ]
   }
  }
 ],
 "use_case": "SAML-SP"
}

BIG-IP Next Central Manager creates the policy specified by the parameter values used in the body of your POST.

Previous Next