For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Greg_130338's avatar
Greg_130338
Icon for Nimbostratus rankNimbostratus
Jan 03, 2014

SAML SP post binding to IdP

Hey all, I am currently investigating the capabilities of integrating the BigIP as an SP with an external IdP (shibboleth). I am providing a login page on the BigIP with an access policy that falls b...
saml
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Jan 03, 2014

Generally speaking, it is the IdP that challenges the user for credentials and the SP consumes a trusted assertion from that IdP. The SP wouldn't challenge the user for credentials. So in the barest form, your APM SP would be in front of the app, and the Shibboleth IdP would be a physically separate entity that the client contacts. Now, technically speaking, if the Shibboleth service was also behind an APM VIP, that would more likely just be an SSO configuration where a logon page collects credentials, maybe does some pre-validation, POSTs those credentials to the Shibboleth logon page, and lets the SAML from Shibbloeth pass through. But arguably, if you're putting the IdP behind an APM VIP, why not just let APM be the IdP and save yourself the trouble of maintaining another app service.