Forum Discussion
Cirrus
Cirrus
CirrusSecure VCenter SSO with F5 APM
Hey folks,
hope somebody can get me the proper hint for this, we have a VMWare VCenter env, which we want to secure with F5 APM (Signle Sign On). The only way on Vcenter SSO is to configure ADFS as Identity Provider.
Is there any chance to use here F5 APM instead, maybe as oAuth Auth Server? In the end APM should use here our standard identity provider Azure AD for authentication.
Azure AD authentication is already working on an example app, but i didn't get the configuration up to use this as a kind of authentication proxy for VCenter configuration 😕
Happy for any suggestions
You might have seen this but here's the Manual on Using APM as a SAML IdP SSO portal: https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-1-0/30.html
This is about About SSO Credential Mapping: https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-visual-policy-editor/access-policy-item-reference/about-assignment-items/about-sso-credential-mapping.html
This is about Configuring APM as a SAML IdP for Inline SSO: https://techdocs.f5.com/en-us/bigip-16-1-0/big-ip-access-policy-manager-saml-configuration/config-apm-as-saml-idp-inline-sso.html
And, this is about Seamless SSO: Azure with SAML and MFA: https://techdocs.f5.com/en-us/bigip-16-1-0/big-ip-access-policy-manager-per-request-policies/implementing-seamless-sso-azure-saml-mfa.html
I kniw it's not vCenter but here's the info on Integrating APM with VMware Identity Manager: https://techdocs.f5.com/en-us/bigip-17-0-0/big-ip-access-policy-manager-third-party-integration/integrating-apm-with-vmware-identity-manager.html
No idea if any of that helps?
ps
CirrusThanks for the suggestions, we already configured a few of these topics for other use cases, but for VCenter we didn't get it working. We will now try Lucas_Thompson's suggestion to directly connect VCenter to Azure AD and just use some LTM functions on VS side
Let's see if this is working
Lucas_Thompson might know the answer to your question.
- Lucas_Thompson
Employee
Reading this it looks like you can configure Vcenter as an OIDC Resource Server and OIDC Client. Then you could configure APM as an OIDC AS (using your AD as a directory source)
But if your directory is is Azure AD anyway, you might as well just use it as an OIDC AS directly instead of adding the extra APM step.
- Cirrus
Thanks for the suggestion, in the end we wanted to have everything on the F5 as we also want to have some special iRules applied on the Vcenter VS.
But yeah this would be also a good idea to just connect VCenter directly to Azure AD and kick out the APM part, guess the LTM part with the VS should still work then.
Will try this out in the next days and come back to this
