Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

joesnyder_13328's avatar
joesnyder_13328
Icon for Nimbostratus rankNimbostratus
Jun 19, 2014

SAML Idp-Initiated Connections

I am new to the whole SAML thing and have been playing around with it. I have setup my saleforce dev account to work with our BigIp device and it works perfectly. Since I am still super new to this b...
BIG-IP Access Policy Manager (APM)
idp
saml
security
Matt_Dierick's avatar
Matt_Dierick
Icon for Employee rankEmployee
Jun 19, 2014

Hi,

 

Actually, when you bind your external SP connector to your local IDP, this is not a SP initiated (not really). It depends how you configure your APM IDP policy. You can use an APM as IDP for SP initiated and IDP initiated. It depends the way your set your policy. If you use SAML resources assigned to your webtop, you can use APM as SP and IDP initiated. If you do not assign any SAML resource or webtop, you can not use IDP initiated.

 

I mean, if you reach SFDC in first (SP initiated), you will be redirected to the IDP for auth and redirected to SFDC when done. If you reach the IDP in first (IDP initiated), you will be prompted with your SAML resource (SFDC) on the webtop.

 

If the second vendor only supports IDP initiated, you need to use a SAML resource in order to push the SAML assertion at the first SP connection. SAML resource needs a webtop. I don't know if we can force APM to start a SAML resource after login so that user does not see the webtop.