Forum Discussion

CraigD1_147916's avatar
CraigD1_147916
Icon for Cirrus rankCirrus
Jan 18, 2019

APM SAML without f5 login page

Hi, I am preparing to test SAML auth on APM and all of the documentation that I have been able to find seems to require that I use an IdP connector on the f5 side and this doesn't seem necessary to me based on what I understand my requirements to be.

 

We have a number of sites on SAML today and they seem to be simply loaded with the pub cert from the IdP in order to trust the assertion without the need to directly communicate with the IdP.

 

I am looking for a login flow just like the above that will simply redirect the unauthed user when accessing the f5 VS to the IdP for 2FA and then accept the signed assertion when the user is redirected to the VS. I don't want any sort of auth page presented by f5, if possible.

 

Once functional, I believe I would need to explore options to getting the assertion info to be consumed by the back end web servers.

 

Is there any documentation that describes configuration of this sort of login flow? Thank you.

 

APM
application delivery
security

1 Reply

Sort By
  • svs's avatar
    svs
    Icon for Cirrus rankCirrus
    Jan 21, 2019

    Hi,

     

    if I understand your question correctly, then you want to use the BIG-IP as SAML SP, correct? A SAML SP APM profile doesn't need a logon page. That wouldn't make any sense at all. You need to import the IdP metadata as "external IdP connector" into the BIG-IP SAML Service Provider and assign the connector to your configured SP. The import of the IdP certificate(s) (public key) is necessary, especially to establish the trust for the signature of the assertion. Additionally you need to provide the Signing (and Encryption) certificate to the IdP.

     

    Unfortunately there is not a single documentation available, that helped me initially to get everything working correctly. I was struggling with the configuration for several days, consuming almost every documentation I could find. I've ended up having a bunch of documents, describing single parts in a better or more understandable way than other (or especially the official documentation). The deployment guides are very helpful as well.

     

    Maybe you can provide some more information, to make things more clear. There are differences between the TMOS versions for the configuration (paths) of SAML.