For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Yoann_Le_Corvi1's avatar
Yoann_Le_Corvi1
Icon for Cumulonimbus rankCumulonimbus
Feb 14, 2020

Hello,

 

The SAML assertion is consumed by the SP. In you situation I'd rather perform a Kerberos authentication via SSO Kerberos Profile on the Sharepoint at the backend.

 

I thing this is the easies approach unless there is a technical constraint in your environment.

 

Let me know

 

Yoann

SASA1's avatar
SASA1
Icon for Nimbostratus rankNimbostratus
Feb 17, 2020

Hi Yoann

 

How can we achieve Kerberos SSO between F5 and Sharepoint in this case ? Do we need to configure Kerberos on Safenet (the external IDP) as well or no ?On F5 APM, there are few details required like SPN, account name, password, kerberos realm, KDC, these details should be retrieved IDP through SAML Assertion or how ? Is there a document explains this ?

  • SASA1's avatar
    SASA1
    Icon for Nimbostratus rankNimbostratus
    Feb 17, 2020

    Hi Dave

     

    In the document, the integration is between F5 and AD which is KDC server. In our scenario, there is no AD. It is F5 as SAML SP and Safenet/Gamealto as SAML IDP. Does it mean in this case, the safenet will be the KDC server ?

  • Dave_W's avatar
    Dave_W
    Icon for Employee rankEmployee
    Feb 25, 2020

    Hello, that depends, but if the site supports Kerberos I would assume there is a KDC that supports it somewhere in this environment. Keep in mind that the Kerberos SSO in APM was designed with MS AD in mind so whatever KDC is present may work, but will need to mimic the AD Kerberos implementation.