Forum Discussion

Nimbostratus

Nov 12, 2013

SAML SSO Without a Webtop

The F5 is the SAML IDP for an external cloud based service. I am working on setting up and testing this on a webtop. Is it possible to not have to use a webtop? For example, setup an internal DNS rec...

availability

BIG-IP Access Policy Manager (APM)

Nimbostratus

Feb 11, 2014

I did get it to work, one thing to be aware of is that the webtop does not allow cookie persistence. So if you want to avoid signing into your IDP when the SP session expires this is not an option for IDP initiated SSO.

So basically, create your webtop and in your access policy just before the allow event add advanced resource assign and assign the webtop to the access policy. Then you will find after logon you should get the webtop with the SAML resource(s) you published to the webtop.

Click on one of the links and this should take you through to your cloud service. Note this link will be similar to Michael Kofman's example above, which is which you simply add to an irule which means the user will never actually see the webtop but go to the service provider.

Let me know how it pans out.

Micah_Haarbrink

Nimbostratus

Feb 12, 2014

Is there something about the webtop that is required for IdP-initiated sessions? I have a couple SP-initiated SAML configs that work fine without a webtop. The only iRule I use for them is to establish the persistence of the cookie. They are basically "logon page -> AD auth -> Allow". You hit the service providers login page (a custom login page for us obviously), it kicks back to the F5, the F5 allows and the SAML exchange sends it back through to the service provider and we're in. I assumed that if I set up an access policy to just "logon page -> AD auth -> Allow" that the settings from the Service Provider that is bound to the IdP would get used and send me into the site in a similar manner (hit my own login page on the F5, authentication, SAML settings tell it to go to the SP which gets the POST that says the session is good). So is there something about the webtop that is required that I have to land on the webtop first and then the F5 does something additional when it sends me through to the SP?

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

SAML SSO Without a Webtop

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Checking for X-Forwarded-For against an Address Data-Group

SSL Bridging and FQDN rewrite Policy

Cisco TACACS+ Config on ISE LTM Pair

iRule causing requests to be duplicated (sometimes)

How can I get started with iCall

Related Content

Creating a SSL VPN Using F5 Full Webtop

SAML - LTM in front of SP

APM Cookbook: AutoLaunch SAML Resources

Enable SAML Service Provider on F5 Distributed Cloud Application

SAML F5 SP - Microsoft Entra

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS