Forum Discussion
NimbostratusSAML - LTM in front of SP
Hi Moeter
An approch would be to use SAML inline SSO check this https://techdocs.f5.com/en-us/bigip-16-0-0/big-ip-access-policy-manager-saml-configuration/config-apm-as-saml-idp-inline-sso.htmlBut It you want a simpler approach you could just create a Virtual Server for the SP itslelf
In this case just pointing ACS to Virtual Server IP would be enough. But dependign on the application itslef you might also need some persistence.If you want to have both IDP and SP under same Virtual Server you will have to disable Access Policy dor SP fqdn with some irule
The easiest way to troublshoot SAML asserions for me is though Browser plugin lik SAML-tracer plus logging on f5 itself.
NimbostratusYeah, I’ve stumbled across Inline SSO before — and that actually makes a lot of sense in this setup.
If I got this right, all I need is:
- a Virtual Server with a Pool (for the backend SPs),
- an APM profile that authenticates the user (acting as IdP), and
- on that APM profile, configure the SAML SSO object as the SSO method.
- No need for Ressource Assignment on that APM Policy?
That way, once the user is authenticated, the F5 will perform SSO towards the backend SP automatically.
No need to disable the APM policy, since you’ll have a valid session at that point — right? Or did I miss something subtle here?
And yeah, SAML Tracer is a great tool — I’m using it too.
But in this setup, it will only shows the messages between the user and the F5, not what the F5 forwards to the backend SP.
That’s the tricky part, since the SAML response to the SP happens behind the scenes (server-side).
So I guess for that part, we’d need to rely on tcpdump on the internal VLAN to actually see what’s happening.
Having a Virtual Server for the SP in front of the backend pool would be also fine — I’ve already tried that setup, though, and it’s not working as expected.
That’s why I’m suspecting the issue might be that the SAML Response isn’t being passed from the F5 to the backend SP.
