Forum Discussion

Dave_W's avatar
Dave_W
Icon for Employee rankEmployee

Hello, in this use case is OKTA also an IdP? If so I would think you could deploy this using IdP chaining. From the APM Operations Guide:

 

https://support.f5.com/csp/article/K08200035

 

"When you use SAML inline SSO, when BIG-IP APM receives an SP authentication request, it generates a SAML assertion on-the-fly to automatically sign in the user. The BIG-IP APM IdP is chained so that it accepts an assertion from another SAML IdP to create the session. The system constructs session data using the same method."

 

And some example configurations:

 

https://devcentral.f5.com/s/articles/apm-cookbook-saml-idp-chaining

 

https://www.youtube.com/watch?v=HiGbzDyNnw4

cmp19's avatar
cmp19
Icon for Nimbostratus rankNimbostratus
Sep 12, 2019

Thanks for the response Dave,

 

If I'm understanding the example you linked, the end user would first connect to F5 which would then relay the authentication request to the IdP (in my case Okta) which would then reply with a "yes" to F5 which would then allow them into the resource they want. In my use case I would like a user to first connect to Okta who would then press a resource button (Salesforce, for example) which would use F5 to gain access to it's pre-existing SAML resources.

 

Okta has released a guide to run Okta as IDP and F5 as SP to access web resources behind the F5, however these resources are not SAML so I don't believe it would work the same way.

https://support.okta.com/help/s/article/Okta-Integration-Guide-for-Web-Access-Management-with-F5-BIG-IP#configuringokta

  • Dave_W's avatar
    Dave_W
    Icon for Employee rankEmployee
    Sep 13, 2019

    Hello, if I am following your environment correctly I think it would be like this, User>>OKTA as IdP>>APM as IdP>>Service. Hence the term IdP chaining.