Single IDP, multiple SP and passing SAML
We have an application that is saml SP aware using keycloak and I have configured the SP directly to okta IDP and that works like a charm.
Having said that, we also have the F5 apm module that we want in the mix acting like a SP proxy of sorts? but I am having trouble visualizing how that would work? I have some questions around having multiples SP (basically f5 apm acting as an SP and the end point app as well) and single IDP (okta) and how to pass SAML along.
I have attached a picture of what we are trying to do and I have the following questions:
a) Can the first SP f5 apm in this case, pass along or proxy the saml context info down to the second SP?
b) If I configure the end point application SP and IDP back to okta, where would okta send the acs request in response? Back to F5 APM module or back to app, I would think that means we need 2 okta applications?
c) Since f5 APM will ALWAYS be the front door does the application even need to have the IDP configured because that would have been taken care of by the f5 apm SP module?
I still question the need for the whole APM module in this particular use case, since our app is SAML aware already. I understand when there is a need for apps that are not saml aware and APM is used to extract saml attributes and inject them for example into headers that apps downstream understand etc…
Now, I have seen this article that sounds like what we need and it's called inline SAML sso, but it's not very clear in terms of configuration required because we tried this, but seem to be in some sort of ends redirect loop? https://support.f5.com/csp/article/K06743491
Also, this video sort of talks to our issue and states the key is multiple DNS names, but again doesn't go into details on the apm config required to get this to work. https://www.youtube.com/watch?v=WdRJZ5BnZug
Anyways, any help around this would be greatly appreciated or pointing us to some clear documentation around configuring this.