Forum Discussion

Pisitpong_vis's avatar
Icon for Nimbostratus rankNimbostratus
Jun 20, 2022

Keycloak as IDP for F5 APM via SAML

I have a requirement from our customer to do MFA authentication on F5 APM module and use Keycloak as Identity provider to control their access to web application. Since the keycloak is operate by different team, the internal operation team don’t have an authorize to do MFA on keycloak. They will use F5 APM to perform MFA instead.

Existing environment.


Protect your web application by deploy F5 as web proxy.


Import your SAML metadata to F5 APM

Start by login to your keycloak console and downlond SAML metadata

Make sure you have right realm selected.

Save as you metadata

Navigate to External IDP connector

Create External IDP connector

Upload your Metadata previously downloaded and name your SAML IDP connector

Create your certificate.

Navigate to SSL Certificate list console

Create your new certificate

Configuration your parameter and click finish

Create your Local SP Service

Navigate to local SP service console

Click create new SP service

Input name, EntityID and SP name setting

Config POST as assertion consumer service binding

Configuration security setting with certificate generated earlier and click OK

Binding your SP service with IDP connector

Select your newly SP service created

Add new row and select you IDP connector profile.

Import your SP service to Keycloak

Export your SP service

Create new client on Keycloak

Select file downloaded from previous section

Click save



1 Reply

  • Create Access policy

    Navigate to Access policy console

    Name Access policy, language and click finish

    Edit your newly created Policy

    Click add

    Add SAML Auth

    Config SAML Auth with SP service created earlier.

    Add OTP Generate

    Config OTP with 6 digital and click finish

    Click add

    Add logon page

    Change username to NONE and config GUI interface and save

    Click add

    Add OTP verify

    Use the default setting

    Click add

    Add email to send your OTP

    Configuration email setting

    Apply your Access policy

    Create New VIP

    Navigate to Virtual server console

    Config parameter for your VIP

    Apply Access policies and pool. Click finish

    Test your application by access