Forum Discussion

f5learn_164388's avatar
f5learn_164388
Icon for Nimbostratus rankNimbostratus
Apr 07, 2016

regarding ADFS WS-* and F5 SAML 2.0

Hi,

 

We are trying to setup a SP initiated SSO with a customer(SP being the customer and our F5 APM being the IDP). The customer implementation requires support for WS-*(WS-Fed and WS-Trust) and going through the forums it looks like F5 does not support this.

 

So in the above scenario is it possible to go with IDP initiated SSO? With this our clients will go through our IDP first and we will generate the SAML 2.0 token that can be sent to the customer endpoint. In theory it sounds this should work but any expert advice would be appreciated. And yes, it may be ok to always go to the customer default page with IDP initiated SSO.

 

Thanks ski

 

BIG-IP Access Policy Manager (APM)
security

5 Replies

  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Apr 23, 2016

    Hello,

     

    You are right, WS-Fed is not supported by F5 APM.

     

    You can configure an IDP initiated SAML SSO but can assign it only to one resource. As far as I know, you will not be able to use the same IDP for other resources (new configuration will be required)

     

    Adding SAMLv2 upon WS-FED authentication is not recommended. Not for security reason, but only for user experience...

     

    • f5learn_164388's avatar
      f5learn_164388
      Icon for Nimbostratus rankNimbostratus
      May 03, 2016
      Thanks, Yann for the comment. Could you please elaborate a little more on the user experience concern? I have not experimented this yet in the lab but would be interested to know.
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Icon for Nacreous rankNacreous
    Apr 23, 2016

    Hello,

     

    You are right, WS-Fed is not supported by F5 APM.

     

    You can configure an IDP initiated SAML SSO but can assign it only to one resource. As far as I know, you will not be able to use the same IDP for other resources (new configuration will be required)

     

    Adding SAMLv2 upon WS-FED authentication is not recommended. Not for security reason, but only for user experience...

     

    • f5learn_164388's avatar
      f5learn_164388
      Icon for Nimbostratus rankNimbostratus
      May 03, 2016
      Thanks, Yann for the comment. Could you please elaborate a little more on the user experience concern? I have not experimented this yet in the lab but would be interested to know.