In the main tab, select “Access Policy | SAML | BIG-IP as SP”
Enter the Name, e.g. "bigip_sp"
In the Entity ID field, we just use the virtual server URL as its Entity ID
Select "Security Settings":
Select "Want Signed Assertion"
Once completed, we need to export its metadata which will be used later in DualShield to create a SP.
In the Main tab, select “Access Policy | SAML | BIG-IP as SP”, you shall get a list of SPs that have been created:
Select “External IdP Connectors”
Click the down arrow on the “Create” button to show the drop-down menu, then select “From Metadata”
Select the DualShield IdP metadata downloaded in the previous step
Enter the Name: dualshield
Click “OK” to save it
Now, we need to edit the SAML IdP Connector settings:
Select “Endpoint Settings”, in the Single Sign On Service URL you should see the URL similar to:
http://dualshield.deepnetsecurity.local:8074/appsso/login?DASApplicationName=F5%20BIG-%20IP%20SAML
F5 Big-IP has a bug that it does not accept URLs containing question mark (?). We have to replace it to:
http://dualshield.deepnetsecurity.local:8074/appsso/login/kvps/DASApplicationName/F5%20BIG-%20IP%20SAML
In the Main tab, select “Access Policy | SAML | BIG-IP as SP”, you shall get a list of SPs that have been created:
Select the SP and click the "Bind/Unbind IdP Connectors" button
Click "Add New Row" button:
In the "SAML IdP Connectors" drop down list, select "dualShield"
Click "Update" to finish it
Now you should see that the SP "bigip_sp" is bound to the IdP "dualshield":
We need to add a “SAML Auth” to replace the “RADIUS Auth” policy.
Click the plus mark before “RADIUS Auth”.
Enable the option: “SAML Auth”, then click “Add Item”:
In "AAA Server" field, select "bigip_sp" that we just created and configured, then click "Save" to save it.
Click the cross icon "X" on "RADIUS Auth" to delete it. Now the access policy becomes:
With SAML authentication, the Logon Page provided by Big-IP is redundant. So, delete it as well.
Finally, the access policy looks like:
Now, go back to Access Profiles List, notice the status flag is "Modified"
Click "Apply Access Policy" to save it.