For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Xpenno255's avatar
Xpenno255
Icon for Nimbostratus rankNimbostratus
Feb 10, 2022

APM Step-up authentication when clicking a specific webtop item

Hi, We use APM for our SSLVPN Service. Some users just use the VPN client, whilst others use a combination of VPN and Webtop to access services such as RDS and Citrix that we've integrated into APM....
application delivery
authentication
BIG-IP Access Policy Manager (APM)
Dario_Garrido's avatar
Dario_Garrido
Icon for Noctilucent rankNoctilucent
Feb 12, 2022

Hello Xpenno255. 

Even though there is no password exchange in SAML between IdP and SP, there is a chance to configure a ad-hoc setup where IdP injects the password encrypted just for legacy SSO purposes.

Another option for SSO is to configure SAML Auth in the front side and also in the server side, because the same assertion could be used by both authentication steps. 

For more info, check "Table 3.1 Client-side and server-side authentication method support matrix"

REFhttps://support.f5.com/csp/article/K08200035

Where the article states:

"1. BIG-IP APM can function as a SAML identity provider (IdP) and a service provider (SP). As an SP, the client generally authenticates at the IdP. Therefore, the SP does not have access to users’ credentials.

However, it is possible for the IdP to encrypt and transmit those validated credentials in the standard SAML assertion or in a separate artifact communication. In this way a BIG-IP APM SAML SP could perform server-side authentication functions requiring a password.

Also, when the BIG-IP APM is the IdP but the SP authentication request originates from an external source, such as a custom portal instead of the BIG-IP APM built-in webtop, the system generates a SAML assertion on-the-fly to automatically sign in the user. For more information, refer to Identity federation."