Keycloak as IDP for F5 APM via SAML

I have a requirement from our customer to do MFA authentication on F5 APM module and use Keycloak as Identity provider to control their access to web application. Since the keycloak is operate by different team, the internal operation team don’t have an authorize to do MFA on keycloak. They will use F5 APM to perform MFA instead.

Existing environment.

Solution

Protect your web application by deploy F5 as web proxy.

Configuration

Import your SAML metadata to F5 APM

Start by login to your keycloak console and downlond SAML metadata

Make sure you have right realm selected.

Save as you metadata

Navigate to External IDP connector

Create External IDP connector

Upload your Metadata previously downloaded and name your SAML IDP connector

Create your web.f5test.com certificate.

Navigate to SSL Certificate list console

Create your new certificate

Configuration your parameter and click finish

Create your Local SP Service

Navigate to local SP service console

Click create new SP service

Input name, EntityID and SP name setting

Config POST as assertion consumer service binding

Configuration security setting with certificate generated earlier and click OK

Binding your SP service with IDP connector

Select your newly SP service created

Add new row and select you IDP connector profile.

Import your SP service to Keycloak

Export your SP service

Create new client on Keycloak

Select file downloaded from previous section

Click save