Forum Discussion

Nimbostratus

Sep 09, 2014

APM in clientless mode, support for SAML

Hello, I am looking for a solution to have SAML support in clientless mode. The fact is that my client application does not support any redirect. When the client connects to the SAML SP, no redirect ...

BIG-IP Access Policy Manager (APM)

saml

security

steirtet

Nimbostratus

Sep 09, 2014

Hi,

Thanks for the answer, but this iRule retrieves the username/password without using SAML. The problem with SAML is that is using redirects between the SAML SP and the SAML IdP. In this case, redirects are not supported and not allowed. The problem remains, how to solve this via an iRule?

Thierry

Gabriel_V_13146

Cirrus

Sep 09, 2014

Hi, there are several SAML profiles (options how to use the SAML messages). F5 supports the WebSSO profile - thus redirect/post SAML messages between SP and IdP. So it's not really clientless. I don't know if it helps, but just an idea - If your SP can consume a SAML assertion, you could use 'IdP-initiated' SSO, so you can let F5 send the LoginResponse directly without any request. That can be done setting up a webtop with SAML connectors. In that case the APM will expose links (I don't recall exact url, see the links which are bound to the webtop links) sending a SAML response to the SP. And as a login action your application just sends user to the exposed IdP link. Have fun Gabriel

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)