APM SSO - Best Practices?

Question

Hello,&nbsp;
We have recently started to use APM as our IdP, this works very well so far. I was curious how others have set up their infrastructure to accommodate different use cases. Currently, we have one primary https:// web IdP address with a real certificate. This real certificate is of course for the address and also for assertion signing. We have multiple SP connections set up, all delivered via one Access Policy with a resource assignment at the end. This allows a variation in attributes which is useful.
Question time...&nbsp;

Is it best practice to use a different SSL certificate for assertion signing (to give time for SP connector reconfiguration when certificates expire)&nbsp;

Do you use one IdP address and somehow split each connection at the start of the Access Policy or do you just lump like connections together and make new VIPs when there is a major difference in processing. Example - some apps require multifactor (assuming internal and external) while others do not, do you just create a new VIP for the multifactor ones? My initial thought is that we either somehow detect the application and send them down the right path or we make a new VIP and put all multifactor on it.

walter_kacynski · Answer

Are you doing "Web Browser SSO" SAML only?&nbsp;

Forum Discussion

APM SSO - Best Practices?

1 Reply

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Unblock Request WAF

TLS handshake failure from BIG-IP to backend – Fatal Alert: Decode Error (Server SSL)

Failing over Virtual F5 VE to DR location using Zerto

Failing over of a Virtual F5 configuration to another location using Zerto restore process

F5 Networks F5CAB1 Exam - Need Help Regarding Prep

Related Content

AS3 Best Practice

F5 Certified Practice Exams

Security Best Practices for F5 Products

Cipher Suite Practices and Pitfalls

Five Ways to Automate F5OS with Ansible: A Practical Guide

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS