Forum Discussion
Hi Spencer,
I'm not sure if I understood you well. I don't think you can do this easilly or at least as you expect. The SAML assertion is only valid for one SP and its validity is finite (I think F5 idp is 5~10 minutes) so there is no way to get an assertion that will be globally valid between services.
What I have done in some customers using F5 idp is take advance of the domain SSO configuration. When the user is authenticated for first time in the IDP you get a cookie session. The second time you access a SP service and you get redirected to the IDP, as you have the cookie session with you you will be automatically autenticated and a new saml assertion will be provided to the SP, etc.
Apart from this, if I understood well, you are thinking in placing the APM in front of you IDP and do SSO? This may work if you IDP are local.
I hope this shed some light onto your ideas.