Forum Discussion

JustCooLpOOLe's avatar
JustCooLpOOLe
Icon for Cirrocumulus rankCirrocumulus
3 years ago

Smart card authentication (i.e. CAC) and SAML for API Authentication

Just throwing this out there... Considering you want to have systems and processes querying an API and you wanted to implement the BIG-IP as the Identity Provider using SAML but you also have a requ...
application delivery
security
Daniel_Wolf's avatar
Daniel_Wolf
Icon for MVP rankMVP
3 years ago

Hi JustCooLpOOLe,

 

the process for a browser is the same as for a service. A client (browser or service) tries to access an API. The SP will redirect the client to the IdP. The IdP (F5 APM) will ask for a client certificate and validate the certificate. The IdP will then issue a SAML token and redirect the client back to the SP. The SP will accept the token.

It think the difference is in the capability of the client to follow the SAML authentication flow. A browser can follow the flow described above for sure. A service might need to be re-programmed.

Whilst, in my personal opinion, using JWT or Opaque tokens are better suited for API authentication or server-to-server authorization than SAML, I don't see a reason why this should not work.

KR
Daniel