Forum Discussion

dp_119903

Cirrostratus

Jan 27, 2016

APM + SSO questions about server side authentication

I have a good amount of experience working with the F5 as a SAML SP using a 3rd party external IdP and then using kerberos for server side SSO. I have a question though about other options. Sin...

BIG-IP Access Policy Manager (APM)

Cirrus

Jan 27, 2016

You have a couple of options in this scenario:

Integrating SAML support into the application natively(some work there)
Allowing access by extracting username from the HTTP header

The second one is typically much easier to implement. F5 can easily insert the username in the specific HTTP header, and the application can be modified to look for that header and extract user identity from it. This approach is used by many large enterprise Web Access Management solutions.

Optionally, you can also choose to encrypt the username using symmetric key encryption between the BIG-IP and your application, and you should also restrict traffic to the application to ensure it accepts it only from the IP address of the BIG-IP to avoid tampering with it and bypassing security.

Hope this helps.

Forum Discussion

APM + SSO questions about server side authentication

Recent Discussions

Server 2 causing application slowness

F5Access | MacOS Sonoma

AS3 Deployments (shared objects)

Inquiry on F5's Maintenance Mode Feature for Pool Members

Ansible modules for F5OS

Related Content

Standalone BIG-IQ Upgrade Question

Selective mutual authentication by HTTP::Host

iRule question: What does "switch -glob" do?

SNAT question

Monitor Testing question