For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Rabbit23_116296's avatar
Rabbit23_116296
Icon for Nimbostratus rankNimbostratus
Jan 13, 2014

Idp Initiated SAML Single Sign On

Is it possible to go directly to a virtual server, authenticate and then POST the assertion directly to the service provider using Big IP? I've been testing this and I can not get the application to ...
BIG-IP Access Policy Manager (APM)
security
kj07208_118528's avatar
kj07208_118528
Icon for Cirrus rankCirrus
May 08, 2014

The relaystate is to carry additional information that the IDP has specified. I'm running into the same issue. If you start from the SP it all works but if you want to start from the IDP it's a lot more trickier. There are a couple of answers on devcentral but you have to use an irule. Sorry can't remember the direct article.

 

If they establish a session to the webtop then you can do link to the IDP as follows https://myfed.corp.com?saml_res=xyz (use the logs to get this information) I'm about to try this with using NTLM so the sign on is seamless and try the links that I stated above

 

  • Rabbit23_116296's avatar
    Rabbit23_116296
    Icon for Nimbostratus rankNimbostratus
    May 08, 2014
    Yes NTLM works great - i have a NTLM SSO solution https://devcentral.f5.com/s/articles/ntlm-integrated-sso-for-saml-with-the-apm-module-and-an-external-logon-page which works well for me but I''d advise you to try Michael's - he really did an amazing job with his implementation and its entirely native to the appliance - https://devcentral.f5.com/s/articles/leveraging-big-ip-apm-for-seamless-client-ntlm-authentication Let me know how it goes for you!