Forum Discussion

Luis_Melendrez's avatar
Luis_Melendrez
Icon for Altostratus rankAltostratus
May 26, 2021

How to create an APM policy for on-prem application that uses SAML

Hello,

 

I would like some guide on how to configure and APM policy and SSO. Basicalli, present a portal to force authentication when accessing https://mysite.example.com for example

 

https://mysite.example.com is an on-prem application which is configure for ADFS saml authentication on an external IdP.

 

Before putting an APM policy the traffic flow goes as follows.

 

  1. User access https://mysite.example.com (this app is behind f5 LTM)
  2. mysite.example.com redirects user to authenticate to myadfs.example.com and gets prompted by ADFS for username and password.
  3. myadfs.example.com authenticates and redirects back to mysite.example.com
  4. User is able to access mysite.example.com.

 

After adding APM policy the traffic flow goes as follows.

 

  1. User access https://mysite.example.com (this app is behind f5 LTM)
  2. F5 presents a prompt for username and password (AD authentication)
  3. User is successful authenticated.
  4. Access is granted to https://mysite.example.com
  5. mysite.example.com redirects user to authenticate to myadfs.example.com ("AGAIN", can this be prevented since they already authenticated) and gets prompted by ADFS for username and password.
  6. myadfs.example.com authenticates and redirects back to mysite.example.com
  7. User is able to access mysite.example.com.

 

Any advice really appreciated.

 

Python datetime (With Examples)

adfs
application delivery
BIG-IP Access Policy Manager (APM)
idp
LTM
saml
security
  • Nicolas_Martin-'s avatar
    Nicolas_Martin-
    Icon for Cirrus rankCirrus
    May 26, 2021

    Hi!

    Depending on what you need to achieve you may :

    -Configure APM to authenticate user using your ADFS SAML IDP. On user side nothing change compare to how it's working now : They browse https://mysite.example.com => APM redirect to  myadfs.example.com => User login and get redirect to https://mysite.example.com => APM authenticate user and pass traffic to backend => backend redirect on more time to myadfs.example.com but as the user is already logged-in ADFS no action is required and the user automatically get redirect back to the backend. (In this case the SSO is built-in SAML : you authenticate once in ADFS and this authent is passed to APM and backend)

     

    -Option2 is to configure your backend server to allows kerberos / header authentication. Then configure an SSO profile on APM to pass the user authentication to backend with kerberos / NTLM

     

    Other option can also work but are more complex and may consume more concurrent session licence on APM.

     

    Regards,