Keycloak as IDP for F5 APM via SAML
I have a requirement from our customer to do MFA authentication on F5 APM module and use Keycloak as Identity provider to control their access to web application. Since the keycloak is operate by different team, the internal operation team don’t have an authorize to do MFA on keycloak. They will use F5 APM to perform MFA instead.
Existing environment.
Solution
Protect your web application by deploy F5 as web proxy.
Configuration
Import your SAML metadata to F5 APM
Start by login to your keycloak console and downlond SAML metadata
Make sure you have right realm selected.
Save as you metadata
Navigate to External IDP connector
Create External IDP connector
Upload your Metadata previously downloaded and name your SAML IDP connector
Create your web.f5test.com certificate.
Navigate to SSL Certificate list console
Create your new certificate
Configuration your parameter and click finish
Create your Local SP Service
Navigate to local SP service console
Click create new SP service
Input name, EntityID and SP name setting
Config POST as assertion consumer service binding
Configuration security setting with certificate generated earlier and click OK
Binding your SP service with IDP connector
Select your newly SP service created
Add new row and select you IDP connector profile.
Import your SP service to Keycloak
Export your SP service
Create new client on Keycloak
Select file downloaded from previous section
Click save