SSO options - NTLM integrated SAML assertions

That should in fact work. Assuming you can get the external logon page stuff to work (rarely an easy thing), the only thing the APM IdP needs to send a valid assertion is the session variable that you've specified as the "Assertion Subject Value". So you could technically take the returned username and assign that to the required session variable, and assuming the SP accepts both the assertion and the ID value, you should be good to go. It'd then go something like this (IdP-initiated approach):

1. User goes to APM IdP which then redirects to the external logon page
2. User authenticates to external logon page via NTLM and is redirected back to APM IdP /my.policy URI with the username and (dummy) POST values
3. APM IdP assigns the returned username to the assertion subject value session variable
4. APM IdP access policy falls into the resource assignment agent, which specifies an external SP connector, and then redirects the user to the SP with a SAML assertion.
5. Bam, you're in.

This is working and in production, it passes back to the F5 a randomized 128bit encrypted string which the F5 decodes using CRYPTO:: methods; it provides a seamless experience and requires the users never to need to login :) It also has basic authentication failback for non-domain joined systems or Mac clients.

I'd be happy to share the entire solution as a devcentral article with the .NET ASP solution and the F5 bits if this is possible :)

http://schoombee.wordpress.com/2014/02/15/ntlm-saml-bridge-with-f5-access-policy-manager/

Rabbit23 - I read over your solution that you posted on wordpress, but am a bit confused at the workflow. If I understood it correctly, you've setup an IIS site that will authenticate the user via NTLM and then will send an "assertion" to the APM, which will have to verify it via the symmetric encryption key that is set and allow user to proceed if the verification is successful.

If I understood that right, is there a reason why you are not just using NTLM authentication on the BIG-IP itself to achieve the same?

The IIS site authenticates the user and then sends the encrypted string to Apm which it verifies before allowing sign on.

I know the APM module can do a client side check but then as far as I know a plug in will need to be installed in the browser?

APM can perform native NTLM or Kerberos client authentication, so there isn't a need to use IIS for that - and there are no plug-ins needed. NTLM process is not well documented, although I hope I will have time to write something up and post on DC next week.

We use NTLM currently with the F5 but only when using the F5 to front Kerberos enabled or other NTLM back ends.

I was really hoping it was possible natively as the BIG IP is effectively a Samba type client itself that should be able to do stuff like this.

If you could please reply once you have proven another way.

Just so I am clear, you are using backend NTLM and Kerberos SSO, but not Kerberos or NTLM front-end authentication of the user to APM? If native clientside NTLM authentication is what's definitely desired, then yes, it works, and that is what I intend on posting.

Yes exactly, native client side desired behaviour is for the APM/LTM to be able to deal with the NTLM challenges and responses.

@rabbit23 - check this out: https://devcentral.f5.com/articles/leveraging-big-ip-apm-for-seamless-client-ntlm-authentication

Hope you can try it out and let me know what you think. :)