Forum Discussion

shashank_shetti's avatar
shashank_shetti
Icon for Nimbostratus rankNimbostratus
Apr 06, 2016

SSO integration with existing website (Forms Authentication)

We are trying to integrate our vendor site into our existing website using saml2.0 (SSO). We do not have SSO configured to our existing website

 

In our scenario, We have an existing website https://Mycompany.com. It has its own database authentication system (Not AD). Once user is authenticated, They would be presented links to our vendor sites Ex: "Vendor1.com", "Vendor2.com"

 

On clicking any of the link we need to generate saml2.0 with some custom attributes before we redirect them to vendor sites.

 

How would we integrate SSO to this existing site so when clicked on vendor link it passes saml assertion along with it.

 

Here are my basic questions on the architecture.

 

1) I would redirect the vendor link first to IDP but I am not sure how IDP would figure out if this is a valid user. Since user is already authenticated through our existing website which is not going through APM, I will not have password to post to IDP.

 

2) Do we need to move the existing website authentication to APM to get the saml while logging into the site itself?

 

I will appreciate if someone can give me some direction to start.

 

    1. APM can be SP or IDP, see https://f5.com/resources/white-papers/solving-substantiation-with-saml. Read the "BIG-IP APM as an Identity Provider" section carefully. I think that describes what you're looking for.

       

    2. As I understand it, APM doesn't have to be the IDP. The solution is easier to describe with APM in front of everything as the SSO endpoint (and IDP). APM does support forms post authentication to your portal site, see https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-sso-config-11-2-0/3.html.

       

  • Hi, I think your best option is to use APM as an authentication portal and show the app links in there. This is called IDP Portal: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/28.html?sr=52932618 You can use as AAA server your website but the APM needs to know how to assign resources to the users ( for example an HTTP header with the resources for the user in the response from the website, then you can an irule to capture this). Your point 1, if you present the IDP to the user, or your website performs SSO or the user will need to authenticate again otherwise there's no way to know which user is accessing the service. Hope this helps