Solution15 Policies

This solution requires creation of three access policies. A default allow per-session policy and a per-request policy using two subroutines for Identity Aware Proxy(IAP). The third policy will be used by a virtual server performing both as a SAML SP to an external IDP along with SAML IDP to the Identity Aware Proxy virtual server.

Primary Identity Provider

Per-Session Policy Walk-Through

image002

  1. When a user is directed to a SAML Auth agent they are redirected to the IDP(AzureAD) selected by the SP Service(portal.acme.com).

  2. Upon successful authentication at the IDP, the user is redirected back to the SP. The SP service consumes the Assertion. he user is assigned resources defined in the Advanced Resource Assign Agent

  3. After successful Resource Assignment, the user is granted access via the Allow Terminal.

  4. If SAML Authentication is unsuccessful, the user proceeds down the fallback branch to be denied access via the Deny Terminal

Per-Session Agent configuration

Portal-psp SAML Auth Agent

image004

Advanced Resource Assign

image005

Profile Settings

The Portal Profile settings have been modified in order to attach the IdP Service.

image053

Identity Aware Proxy

Per-Session Policy Walk-Through

image001

  1. This initial access policy (default allow) is a per-session policy to populate required session variable name and values.

Per-Request Policy Walk-Through

This per-request access policy accepts users request and redirect them to one of the two SAML Auth Subroutines configured for sp.acme.com or sp1.acme.com.

image003

  1. This URL Branching agent evaluates the requests host header to determine the appropriate next path.

  2. When a user is directed to a SAML Auth agent they are redirected to the IDP(portal.acme.com) selected by the SP Service(sp.acme.com).

  3. Upon successful authentication at the IDP, the user is redirected back to the SP. The SP service consumes the Assertion. The user is directed to the Success Terminal.

  4. Upon unsuccessful authentication, the user proceeds down the fallback branch the Fail Terminal.

  5. Pool sp.acme.com-pool is assigned to the request for load balancing. Traditional LTM load balancing rules still apply.

  6. The user is granted access via the Allow Terminal.

  7. Upon unsuccessful authentication, the user proceeds down the fallback branch to be denied access via the Reject Terminal

  8. When a user is directed to a SAML Auth agent they are redirected to the IDP(portal.acme.com) selected by the SP Service(sp1.acme.com).

  9. Upon successful authentication at the IDP, the user is redirected back to the SP1. The SP service consumes the Assertion. The user is directed to the Success Terminal.

  10. Upon unsuccessful authentication, the user proceeds down the fallback branch and directed to the Fail Terminal.

  11. Pool sp1.acme.com-pool is assigned to the request for load balancing. Traditional LTM load balancing rules still apply.

  12. The user is granted access via the Allow Terminal.

  13. Upon unsuccessful authentication, the user proceeds down the fallback branch and directed to the Reject Terminal.

  14. The request does not contain a matching URL causing the request to proceed down the fallback branch to the Reject Terminal

Per-Request Agent configuration

URL Branch Rules

image006

Subroutine: SP - SAML Auth

image007

Subroutine: SP1 - SAML Auth

image008

Pool Assign - sp_pool

image009

Pool Assign - sp1_pool

image010

Profile Settings

The IAP profile settings are the default.

Supporting APM Objects

Configurations settings for Federation Services, (SP Services, IdP Connectors, IdP Services, SP Connectors).

Local SP Services List

image054

SP Service - Portal.acme.com-sp-serv

General Settings

image011

Endpoint Settings

image012

Security Settings

image013

SP Service - sp.acme.com-sp-serv

General Settings

image014

Endpoint Settings

image015

Security Settings

image016

SP Service - sp1.acme.com-sp-serv

General Settings

image017

Endpoint Settings

image018

Security Settings

image019

External IdP Connectors List

image055

IdP Connector - solution15-1-idp-conn

General Settings

image048

Endpoint Settings

  • Single Sign On Service

image049

Assertion Settings

image050

Security Settings

image051

Single Logout Service Settings

image052

IdP Connector - solution15-2-idp-conn

General Settings

image029

Endpoint Settings

  • Single Sign On Service

image030

Security Settings

image031

Single Logout Service Settings

image032

Local IdP Service List

image056

Local IdP Service - portal.acme.com-1-idp-service

General Settings

image020

SAML Profiles

image021

Endpoint Settings

image022

Assertion Settings

image023

Security Settings

image024

External SP Connector List

image057

SP Connector - sp.acme.com-sp-conn

General Settings

image033

Endpoint Settings

image034

Security Settings

image035

Single Logout Service Settings

image036

SP Location Settings

image037

SP Connector - sp1.acme.com-sp-conn

General Settings

image038

Endpoint Settings

image039

Security Settings

image040

Single Logout Service Settings

image041

SP Location Settings

image042

User’s Perspective

Accessing an Application Directly

The user attempting to access https://sp.acme.com or https://sp1.acme.com is directed to portal.acme.com. Then, seamlessly redirected again to AzureAD for authentication.

image044

Once the user is authenticated they are transparently redirected back to the resource. In this case, it is sp.acme.com

image045

Accessing an Application via Portal

Users attempting to access https://portal.acme.com are redirected to AzureAD for authentication.

image044

Once the user is authenticated they are transparently redirected back to the resource. In this case, it is the Webtop Portal.

image046

Now that the user is authenticated at the IDP, when the user attempts to access sp.acme.com they are not prompted for further logon information.

image047