Forum Discussion

Susan7's avatar
Susan7
Icon for Nimbostratus rankNimbostratus
Apr 30, 2019

What are the limitations of F5 APM integration with OKTA for SSO?

What are the limitations of F5 APM integration with OKTA for SSO?

 

APM
BIG-IP
cloud
security

3 Replies

Sort By
  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    Apr 30, 2019

    Hi,

     

    It's depending what's you want to do. did you have a specific use case?

     

    As you konw okta is identity Cloud that provides secure identity management with Single Sign-On.

     

    So OKTA support SAML (Standard) as F5. So you can easly make the link between F5 and OKTA: for example:

     

    • F5 as SP
    • OKTA as IDP

    Okta support Oauth too (As f5), so in this case you can deployed this Use case:

     

    • OKTA as AS
    • F5 as RS

    ...

     

    Regards,

     

  • Susan7's avatar
    Susan7
    Icon for Nimbostratus rankNimbostratus
    Apr 30, 2019

    Hi Youssef,

     

    My usecase is OKTA(with SAML) integration with F5 for SSO.

     

    F5 as SP OKTA as IDP

     

  • Andy_McGrath's avatar
    Andy_McGrath
    Icon for Cumulonimbus rankCumulonimbus
    Apr 30, 2019

    First what authentication method does your back-end support, i.e. how are you going to authenticate?

     

    With SAML, where the F5 is the SP, you by default do not get the users password however, you can configure Okta to provide this securely within the SAML response but take away a bit of the security and many organisations disallow this within their security policies. (See The F5 and Okta Solution for Web Access Management)

     

    If you need a solution without a password you have a couple of options:

     

    1. Kerberos SSO configuring the F5 APM as a trusted device, within the Kerberos domain, and as you trust the SAML authentication from Okta you can authenticate the user via Kerberos without the F5 seeing the users password (See APM Cookbook: Single Sign On (SSO) using Kerberos for a great guide on setting up Kerberos SSO)

       

    2. Option 2 is SAML again (technically this is not SSO). This is where you configure the F5 as the IdP which authenticates to Okta via SAML and the back end as the SP. i.e. F5 acts as both a SAML SP and IdP, SP for the user authentication and IdP for the back-end server authentication request.

       

    This is like chaining/nesting SAML authentication, I have done this in a lab and after a lot of work managed to get it working but it is not a nice solution and a pain to troubleshoot. If you want APM authentication you also force the user to authenticate twice though the second time from the backend server should be transparent.

     

    If you need SSO without the F5 getting sent the users password then I would favor Kerberos SSO but if you can configure Okta to provide the password you can then use any SSO method F5 APM supports. Highly recommend this method if you are using Okta for two-factor authentication (2FA/MFA) as simple than Kerberos and chaining/nesting multiple SAML authentication requests.

     

Related Content