Forum Discussion

Nimbostratus

Oct 21, 2025

Solved

SAML - LTM in front of SP

Hi everybody! We’ve got an F5 BIG-IP set up as a SAML IdP and an on-prem application acting as the SAML Service Provider (SP). The SP itself has two backend servers, which we’d like to load balance...

Injeyan_Kostas
Oct 21, 2025
Hi Moeter

An approch would be to use SAML inline SSO check this https://techdocs.f5.com/en-us/bigip-16-0-0/big-ip-access-policy-manager-saml-configuration/config-apm-as-saml-idp-inline-sso.html
But It you want a simpler approach you could just create a Virtual Server for the SP itslelf
In this case just pointing ACS to Virtual Server IP would be enough. But dependign on the application itslef you might also need some persistence.
If you want to have both IDP and SP under same Virtual Server you will have to disable Access Policy dor SP fqdn with some irule
The easiest way to troublshoot SAML asserions for me is though Browser plugin lik SAML-tracer plus logging on f5 itself.

Injeyan_Kostas

Nacreous

Oct 21, 2025

Hi Moeter

An approch would be to use SAML inline SSO check this https://techdocs.f5.com/en-us/bigip-16-0-0/big-ip-access-policy-manager-saml-configuration/config-apm-as-saml-idp-inline-sso.html

But It you want a simpler approach you could just create a Virtual Server for the SP itslelf
In this case just pointing ACS to Virtual Server IP would be enough. But dependign on the application itslef you might also need some persistence.

If you want to have both IDP and SP under same Virtual Server you will have to disable Access Policy dor SP fqdn with some irule

The easiest way to troublshoot SAML asserions for me is though Browser plugin lik SAML-tracer plus logging on f5 itself.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)