Forum Discussion

dp_119903's avatar
dp_119903
Icon for Cirrostratus rankCirrostratus
Jan 27, 2016

APM + SSO questions about server side authentication

I have a good amount of experience working with the F5 as a SAML SP using a 3rd party external IdP and then using kerberos for server side SSO.   I have a question though about other options. Sin...
BIG-IP Access Policy Manager (APM)
saml
security
SSO
Michael_Koyfma1's avatar
Michael_Koyfma1
Icon for Cirrus rankCirrus
Jan 27, 2016

You have a couple of options in this scenario:

 

  1. Integrating SAML support into the application natively(some work there)
  2. Allowing access by extracting username from the HTTP header

The second one is typically much easier to implement. F5 can easily insert the username in the specific HTTP header, and the application can be modified to look for that header and extract user identity from it. This approach is used by many large enterprise Web Access Management solutions.

 

Optionally, you can also choose to encrypt the username using symmetric key encryption between the BIG-IP and your application, and you should also restrict traffic to the application to ensure it accepts it only from the IP address of the BIG-IP to avoid tampering with it and bypassing security.

 

Hope this helps.