Forum Discussion

Cirrostratus

Mar 15, 2016

Solved

APM and certificate based AD authentication

Hello, We are looking to authenticate users into their domain joined PC's using certificate based services (Smartcard's). Due to the way it is going to implemented, users will not get a prompt t...

BIG-IP Access Policy Manager (APM)

security

Lucas_Thompson_
Mar 15, 2016
In other words: APM doesn't have the user's password. The normal solutions to this are:

Use Kerberos SSO with a delegation account. This is easy an long as your web server is IIS.
Use SAML.

Sometimes people come up with other solutions. Because APM has access to irules, you can basically implement anything that is technically possible, with the important exception of passing the client's certificate through to the backend app. We don't support doing that.

I'd recommend consulting your app vendor to get their preferred SSO delegation technique.

Lucas_Thompson_

Historic F5 Account

Mar 15, 2016

In other words: APM doesn't have the user's password. The normal solutions to this are:

Use Kerberos SSO with a delegation account. This is easy an long as your web server is IIS.
Use SAML.

Sometimes people come up with other solutions. Because APM has access to irules, you can basically implement anything that is technically possible, with the important exception of passing the client's certificate through to the backend app. We don't support doing that.

I'd recommend consulting your app vendor to get their preferred SSO delegation technique.

Michael_Koyfma1

Cirrus

Mar 15, 2016

A third option would be to amend application to trust the user identity being passed to it via HTTP header and restrict traffic to application to only come from APM - that way you can adapt an application to SSO behavior.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)