Configuration requirements for supporting SP-initiated connections
A SAML IdP service is a type of single sign-on (SSO) authentication service in Access Policy Manager® (APM®). When you use a BIG-IP® system as a SAML identity provider (IdP), a SAML IdP service provides SSO authentication for external SAML service providers (SPs). You must bind a SAML IdP service to SAML SP connectors, each of which specifies an external SP. APM responds to authentication requests from the service providers and produces assertions for them.
A SAML service provider connector (an SP connector) specifies how a BIG-IP® system, configured as a SAML Identity Provider (IdP), connects with an external service provider.
You can use one or more of these methods to configure SAML service provider (SP) connectors in Access Policy Manager®.
Setting up a BIG-IP® system as a SAML identity provider (IdP) system involves two major activities:
This flowchart illustrates the process for configuring a BIG-IP® system as a SAML identity provider (IdP) without providing an SSO portal.
When the RelayState parameter is already part of the authentication request to the BIG-IP system, APM returns the value that was sent in the request. Otherwise, APM uses the value from this configuration.
To support SAML artifacts, make sure that at least one ACS specifies the artifact binding.