Forum Discussion
F5 SAML IdP with Okta User Facing
Hello, in this use case is OKTA also an IdP? If so I would think you could deploy this using IdP chaining. From the APM Operations Guide:
https://support.f5.com/csp/article/K08200035
"When you use SAML inline SSO, when BIG-IP APM receives an SP authentication request, it generates a SAML assertion on-the-fly to automatically sign in the user. The BIG-IP APM IdP is chained so that it accepts an assertion from another SAML IdP to create the session. The system constructs session data using the same method."
And some example configurations:
https://devcentral.f5.com/s/articles/apm-cookbook-saml-idp-chaining
- cmp19Sep 12, 2019Nimbostratus
Thanks for the response Dave,
If I'm understanding the example you linked, the end user would first connect to F5 which would then relay the authentication request to the IdP (in my case Okta) which would then reply with a "yes" to F5 which would then allow them into the resource they want. In my use case I would like a user to first connect to Okta who would then press a resource button (Salesforce, for example) which would use F5 to gain access to it's pre-existing SAML resources.
Okta has released a guide to run Okta as IDP and F5 as SP to access web resources behind the F5, however these resources are not SAML so I don't believe it would work the same way.
- Dave_WSep 13, 2019Employee
Hello, if I am following your environment correctly I think it would be like this, User>>OKTA as IdP>>APM as IdP>>Service. Hence the term IdP chaining.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com