Forum Discussion

wcasd_pseningen's avatar
Icon for Altostratus rankAltostratus
Feb 03, 2022

Calling SAML Auth Macro for Portal Access Resource

Hello all.  I would like to see if there is a way for us to call a "BIG-IP as SAML Service Provider" macro when a user attempts to access a Portal Access Resource assigned to their webtop.  We would like to MFA this particular resource using OneLogin (IdP).

I will try to provide an example as specific as I can below and hope it makes sense.

Users currently log into APM ( and are redirected to a OneLogin page.  After successful SAML auth, OneLogin redirects them to their F5 webtop.  This webtop contains various Portal Access and RDP resources.  Most of these resources do not contain sensitive data and do not require MFA.  We would like the 1-2 "sensitive data" resources to require MFA, using OneLogin and physical YubiKeys.

The only solution I've cobbled together so far is to create an entirely new APM profile (this would include OneLogin SSO with the required MFA), have a Portal Access resource point to said profile, and add the ACTUAL resource to the webtop there.  I feel like there is probably an easier way to do this, but I've yet to find one.

Why do it that way?  I would love to just MFA them from the start, but I've been told I cannot MFA everyone from the get-go... only certain people and at the time of access.  I hope this makes some semblance of sense. 

Thank you all in advance for any insight you can provide.

3 Replies