Forum Discussion

Nimbostratus

Oct 21, 2025

Solved

SAML - LTM in front of SP

Hi everybody!

We’ve got an F5 BIG-IP set up as a SAML IdP and an on-prem application acting as the SAML Service Provider (SP).
The SP itself has two backend servers, which we’d like to load balance through the F5.

Our goal is for all traffic between users and the SP to go through the F5 — not just the authentication part.
In a typical SAML setup with F5 acting just as IdP, once the user is authenticated, the browser goes straight to the SP.
That’s fine in theory, but in our case we’d rather keep the F5 in the mix — both as the SAML IdP and as a reverse proxy/load balancer for the SP.

1) Is it enough to just configure the IdP side on the F5 and point the ACS (Assertion Consumer Service) URL to the LTM virtual server?

The idea being: the F5 receives the SAML Response and quietly passes it on to one of the backend SPs behind the same VS.

2) What’s the best way to troubleshoot or confirm that the SAML Response actually makes it from the F5 to the backend SP?

For example, can I see this in the APM logs, session variables, or should I go full “tcpdump ninja”?

Basically: how do I prove the SAML assertion isn’t getting lost somewhere between the F5 and the SP?

Many thanks in advance!

Injeyan_Kostas
Oct 21, 2025
Hi Moeter

An approch would be to use SAML inline SSO check this https://techdocs.f5.com/en-us/bigip-16-0-0/big-ip-access-policy-manager-saml-configuration/config-apm-as-saml-idp-inline-sso.html
But It you want a simpler approach you could just create a Virtual Server for the SP itslelf
In this case just pointing ACS to Virtual Server IP would be enough. But dependign on the application itslef you might also need some persistence.
If you want to have both IDP and SP under same Virtual Server you will have to disable Access Policy dor SP fqdn with some irule
The easiest way to troublshoot SAML asserions for me is though Browser plugin lik SAML-tracer plus logging on f5 itself.

6 Replies

Injeyan_Kostas
Nacreous
Oct 21, 2025
Hi Moeter

An approch would be to use SAML inline SSO check this https://techdocs.f5.com/en-us/bigip-16-0-0/big-ip-access-policy-manager-saml-configuration/config-apm-as-saml-idp-inline-sso.html
But It you want a simpler approach you could just create a Virtual Server for the SP itslelf
In this case just pointing ACS to Virtual Server IP would be enough. But dependign on the application itslef you might also need some persistence.
If you want to have both IDP and SP under same Virtual Server you will have to disable Access Policy dor SP fqdn with some irule
The easiest way to troublshoot SAML asserions for me is though Browser plugin lik SAML-tracer plus logging on f5 itself.
Moeter
Nimbostratus
Oct 21, 2025
Yeah, I’ve stumbled across Inline SSO before — and that actually makes a lot of sense in this setup.
If I got this right, all I need is:
- a Virtual Server with a Pool (for the backend SPs),
- an APM profile that authenticates the user (acting as IdP), and
- on that APM profile, configure the SAML SSO object as the SSO method.
- No need for Ressource Assignment on that APM Policy?
That way, once the user is authenticated, the F5 will perform SSO towards the backend SP automatically.
No need to disable the APM policy, since you’ll have a valid session at that point — right? Or did I miss something subtle here?
And yeah, SAML Tracer is a great tool — I’m using it too.
But in this setup, it will only shows the messages between the user and the F5, not what the F5 forwards to the backend SP.
That’s the tricky part, since the SAML response to the SP happens behind the scenes (server-side).
So I guess for that part, we’d need to rely on tcpdump on the internal VLAN to actually see what’s happening.

Having a Virtual Server for the SP in front of the backend pool would be also fine — I’ve already tried that setup, though, and it’s not working as expected.
That’s why I’m suspecting the issue might be that the SAML Response isn’t being passed from the F5 to the backend SP.
Injeyan_Kostas
Nacreous
Oct 21, 2025
Having a VS in front of SP should work. So I assume something is not configured correctly.
For inline sso yes you will not see saml between f5 and server through browser.
- Moeter
  Nimbostratus
  Oct 22, 2025
  I'm not sure what could be wrong with a "simple" LTM VS in front. Loadbalancing is already working.
  Nevertheless, i will have the chance to do more testing in a couple of days, and keep you posted about the results :)
  - Injeyan_Kostas
    Nacreous
    Oct 22, 2025
    Check the persistence or test with only one pool member.
    Also check that saml config is correct. I mean at Sam point you mention of changing the acs but you don't really need to change acs. You have to point dns record of acs to f5