BIG IP APM as reverse proxy

I'll start with some references to SAML as a protocol and APM as a SAML service:

 

 

http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language

 

http://www.f5.com/pdf/white-papers/apm-saml-solution-whitepaper.pdf

 

http://www.f5.com/featured/video/inside-look-saml/

 

http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-saml-config-guide-11-3-0.html

 

 

In a nutshell though, SAML is a form of federated authentication, sort of similar to OpenID, that involves an Identity Provider (IdP or PDP), a Service Provider (SP or PEP), a client, and series of redirect and/or POST messages to get the client to authenticate at the Identity Provider, which then sends an "assertion" to the Service Provider to guarantee proper authentication. BIG-IP APM 11.3 can provide both the IdP and SP roles (either or both) on the same platform, across platforms, and with other SAML 2.0 (SP or IdP) vendors (Google, MS ADFS, etc.).

 

 

As to your requirement, I really see two options:

 

 

1. Switch to SAML 2.0. Google supports it natively (though I don't know if Yahoo does) and BIG-IP APM 11.3 can be a full (SAML) authentication proxy.

 

 

2. Code it. APM doesn't currently support OpenID or OAuth as a proxied authentication service, though there's nothing preventing you from load balancing the JBoss environment with the RP agents installed there. And since it's all HTTP, you could conceivable pull values from the OID messaging to feed to an APM access session.