If you are using SAML SP then you have two options:
- If your backend servers support kerberos then you can configure Kerberos SSO.
- You IDP can send you the user password encrypted in a SAML attribute. Then you can use any SSO options available in APM.
This is because SAML SP will just validate the assertion coming from the IDP but there is no password there by default. If there is no password your only option is Kerberos (by using Kerberos Constrained Delegation)
Have a look to the APM operation guide, there are some examples on how to configure SSO: https://support.f5.com/content/kb/en-us/products/big-ip_apm/manuals/product/f5-apm-operations-guide/_jcr_content/pdfAttach/download/file.res/f5-apm-operations-guide.pdf