APM Step-up authentication when clicking a specific webtop item

Hello Xpenno255. 

Even though there is no password exchange in SAML between IdP and SP, there is a chance to configure a ad-hoc setup where IdP injects the password encrypted just for legacy SSO purposes.

Another option for SSO is to configure SAML Auth in the front side and also in the server side, because the same assertion could be used by both authentication steps. 

For more info, check "Table 3.1 Client-side and server-side authentication method support matrix"

REF - https://support.f5.com/csp/article/K08200035

Where the article states:

"1. BIG-IP APM can function as a SAML identity provider (IdP) and a service provider (SP). As an SP, the client generally authenticates at the IdP. Therefore, the SP does not have access to users’ credentials.

However, it is possible for the IdP to encrypt and transmit those validated credentials in the standard SAML assertion or in a separate artifact communication. In this way a BIG-IP APM SAML SP could perform server-side authentication functions requiring a password.

Also, when the BIG-IP APM is the IdP but the SP authentication request originates from an external source, such as a custom portal instead of the BIG-IP APM built-in webtop, the system generates a SAML assertion on-the-fly to automatically sign in the user. For more information, refer to Identity federation."