Forum Discussion

Nimbostratus

Nov 12, 2013

SAML SSO Without a Webtop

The F5 is the SAML IDP for an external cloud based service. I am working on setting up and testing this on a webtop. Is it possible to not have to use a webtop? For example, setup an internal DNS rec...

availability

BIG-IP Access Policy Manager (APM)

Employee

Oct 14, 2015

Right, because you're sending the new APM an access token that it doesn't own. It's a little tricky here because you're using DNS to flip between the sites, so regardless of the domain scope the host name would be the same (with different IP) so the client would still send the cookie. The domain scope only exacerbates that problem. The only option I can think of is to maybe perform a check in the HTTP_REQUEST, such that if a client presents a session token that doesn't exists in the local session table, forcefully remove that cookie in a redirect back to the requested URL.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

SAML SSO Without a Webtop

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Checking for X-Forwarded-For against an Address Data-Group

SSL Bridging and FQDN rewrite Policy

Cisco TACACS+ Config on ISE LTM Pair

How can I get started with iCall

iRule causing requests to be duplicated (sometimes)

Related Content

Creating a SSL VPN Using F5 Full Webtop

SAML - LTM in front of SP

APM Cookbook: AutoLaunch SAML Resources

Enable SAML Service Provider on F5 Distributed Cloud Application

SAML F5 SP - Microsoft Entra

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS