APM server SSO with SAML

Question

I have a mobile application that can only authenticate users via SAML -- not Kerberos or trusted HTTP headers.  I want to protect it behind APM, with an access policy to pre-authenticate the user before granting access to the application, like this:&nbsp;
Client --&gt; [SAML] --&gt; F5 APM --&gt; [SAML] --&gt; Server&nbsp;
I am able use APM to pre-authenticate the client with SAML.  Following pre-authentication, how can I send the user's SAML claim to the server, so the user is authenticated to the application?  There does not seem to be a SAML SSO.&nbsp;
In the absence of a SAML SSO, is there a way to "capture and replay" the user's SAML POST to the server, and then return the application authentication cookie back to the user in addition to the APM session cookie?&nbsp;
Thank you for your help!&nbsp;

walter_kacynski · Answer

Can you set the ACS URL to that of the VIP/Backend server so that the client POSTs the SAMLResponse to the backend?&nbsp;

daphne_won · Answer

Can you tell me which backend application it is trying to access?

evan_champion_1 · Answer

Hi Daphne -- the backend application is SAP Netweaver Gateway hosting the SAP Fiori web applications.  Although Fiori also supports Kerberos, this requires additional licensing (SAP SSO), so we had wanted to use SAML.

amolari · Answer

Hi
I have exactly the same requirement and application. Any concrete answer from F5, 2 years later?
Thank you&nbsp;
Alex&nbsp;

Forum Discussion

APM server SSO with SAML

4 Replies

Recent Discussions

Geo Fence in ASM through irule for URI

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Related Content

APM Cookbook: AutoLaunch SAML Resources

APM Cookbook: SAML IdP Chaining

Decode SAML Response from IDP Server

Server Profile SNI

APM as Saml IDP with many SP