F5 APM SAML with Safenet and SharePoint

Question

Hello&nbsp;We have a requirement to use F5 APM as SP to authenticate users from external IDP (Safenet in this case) and then users shall get redirected to sharepoint application without the need to login again (SSO). &nbsp;In this scenario, we configured f5 as service provider and Safenet as an external identity provider. and sharepoint servers as a pool under the virtual server which has the access profile.&nbsp;How is it possible that F5 can pass the assertion that it received from exertnal idp correctly to the sharepoint servers to perform the SSO ?&nbsp;Currently, the sharepoint servers are supporting SAML V1.1 not SAML V2.

yoann_le_corvi1 · Answer

Hello,&nbsp;The SAML assertion is consumed by the SP. In you situation I'd rather perform a Kerberos authentication via SSO Kerberos Profile on the Sharepoint at the backend.&nbsp;I thing this is the easies approach unless there is a technical constraint in your environment.&nbsp;Let me know&nbsp;Yoann

sasa1 · Answer

Hi Yoann&nbsp;How can we achieve Kerberos SSO between F5 and Sharepoint in this case ? Do we need to configure Kerberos on Safenet (the external IDP) as well or no ?On F5 APM, there are few details required like SPN, account name, password, kerberos realm, KDC, these details should be retrieved IDP through SAML Assertion or how ? Is there a document explains this ?

dave_w · Answer

Hello,&nbsp;Kerberos SSO is Constrained Delegation. Here is a guide on configuring it:&nbsp;https://www.f5.com/pdf/deployment-guides/kerberos-constrained-delegation-dg.pdf

sasa1 · Answer

Hi Dave&nbsp;In the document, the integration is between F5 and AD which is KDC server. In our scenario, there is no AD. It is F5 as SAML SP and Safenet/Gamealto as SAML IDP. Does it mean in this case, the safenet will be the KDC server ?

dave_w · Answer

Hello, that depends, but if the site supports Kerberos I would assume there is a KDC that supports it somewhere in this environment. Keep in mind that the Kerberos SSO in APM was designed with MS AD in mind so whatever KDC is present may work, but will need to mimic the AD Kerberos implementation.

Forum Discussion

F5 APM SAML with Safenet and SharePoint

5 Replies

Recent Discussions

Import PKCS 12 SSL to Device Certificate via API/Script or CLI on BIG-IP

Help with URL Masking

F5 iRule to replace host to path

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries R2600 Tenant sizing

Related Content

APM Sharepoint authentication

Enable SAML Service Provider on F5 Distributed Cloud Application

APM Sharepoint authentication v2

iRule for migrating to Sharepoint Online

SAML SLO Error