Kerberos and APM-based SAML IdP

Hi Evan and company. Which issues did you get fixed ?

Don't know if is exactly the same, but I'm trying to setup kerberos with SAML (with sso portal as per doc). Kerberos sso to webtop and IDP-initiated connections from here work as expected But when I try SP-initiated connections without webtop I got a collection of popups asking for auth, hangs in https://idp.xxx.com/saml/idp/profile/redirectorpost/sso/...

Is possible to get this to work ?

Is the BigIP as IdP and SP at the same time? And as IdP you are using KerberosAuth?

Yes both, I did follow: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-12-1-0/29.htmlconceptid

Now I want to use kerberos for AD users on internal network instead of logon form

If users reach webtop they are not prompted for auth, kerberos works fine. And they can launch IdP-initiated saml resources But if user goes to login.microsoftonline.com f.ex. and gets redirected to idp.xxx.com gets a prompt for auth. In other SP-initiated prompt does not appear but browser gots hung in redirectorpost url A simple apache frontend html doc with shibboleth SP works

Is the behaviour same across different browsers? Does the issue occur if it's a new browser session?

Starting from scratch, popup with O365 occurs always if is the first sp-initiated to be launched. If shibboleth is called first then works opening O365 in a new tab I think it occurs with Iexplore or chrome

I think is solved.Read in another post where Evan wrote about this

• Disable request-based auth in kerberos auth box on vpe

Thanks !

Cool!