Forum Discussion

AlexS_yb's avatar
AlexS_yb
Icon for Cirrocumulus rankCirrocumulus
Dec 30, 2022

OAuth server setup Q - APM

Hi   auth.demo.com >> APM OAuth server res.demo.com >> APM Client / resource OAuth server   res.demo.com/protectedurl >> OAuth protected resource So when you go to res.demo.com/protectedurl you...
security
Lucas_Thompson's avatar
Lucas_Thompson
Icon for Employee rankEmployee
Jan 27, 2023

As you've discovered, APM acting as OAuth AS deletes the user session immediately upon issuing a token. This isn't ideal if you want to keep the session alive doing multiple use cases.

APM as SAML IdP does not have this behavior. You may be better off using SAML. Another benefit of SAML is that you can pass more claims data in the assertion.

 

AlexS_yb's avatar
AlexS_yb
Icon for Cirrocumulus rankCirrocumulus
Jan 28, 2023

Hi

 

Yes seems like a bad design from F5 on this.

Yes i have saml in the mix already - but ... not good for scripting - saml by default uses posts.

there is artifacting binding - which uses a get and allow the SP to talk to the IDP directly by passing the client - but the F5 implementation doesn't work

I explained a potential work around with the OAuth apm being on a VS by itself behind the main VS - you would have to save and restore the APM tokens.  Too much hard work for me right now 🙂