Using F5 as SAML 2.0 IDP

Question

Hi,&nbsp;
Can we configure SAML 2.0 IDP in F5/BIG-IP to use IBM Tivoli Directory Service (TDS) for authentication instead of active directory?  Please advise. &nbsp;
Thanks,
Raj.&nbsp;

yann_desmarest · Answer

Hello,&nbsp;
The IBM product is just an LDAP server, so you can bind your F5 system to that product. But it's not related to SAML.&nbsp;
If you talk about the just-in-time provisioning feature, I think you need IBM FIM also. This way, you can define the F5 system as an IDP with APM module and configure an IDP initiated SSO&nbsp;

yann_desmarest_ · Answer

Hello,&nbsp;
The IBM product is just an LDAP server, so you can bind your F5 system to that product. But it's not related to SAML.&nbsp;
If you talk about the just-in-time provisioning feature, I think you need IBM FIM also. This way, you can define the F5 system as an IDP with APM module and configure an IDP initiated SSO&nbsp;

swamyr_255150 · Answer

Hi,

Thanks for the reply.

I am new to this  SAML domain. I believe I didn't ask the question clearly.

I have seen some articles talking about defining F5 system as an IDP with APM module. The configuration talks about F5 using Microsoft's Active Directory for authenticating the users and then IDP passing the user attributes in a token to the Service Providers (SP).

My question is, can  F5 ( with APM module) use Tivoli Directory Service (TDS) instead of Active Directory for authentication and the n IDP passing the user attributes in a token to the Service Provider (SP)?

Thanks,
Raj.

swamyr_255150 · Answer

Hi,

Thanks for the reply.

I am new to this  SAML domain. I believe I didn't ask the question clearly.

I have seen some articles talking about defining F5 system as an IDP with APM module. The configuration talks about F5 using Microsoft's Active Directory for authenticating the users and then IDP passing the user attributes in a token to the Service Providers (SP).

My question is, can  F5 ( with APM module) use Tivoli Directory Service (TDS) instead of Active Directory for authentication and the n IDP passing the user attributes in a token to the Service Provider (SP)?

Thanks,
Raj.

yann_desmarest · Answer

Hello,

Yes you can do it. Just degine IBM TDS as a LDAP Server and add "LDAP auth" block in your authentication workflow on the IDP (also defined on F5). Then, you can pass attributes like email, upn, etc. to the Service Provider

Forum Discussion

Using F5 as SAML 2.0 IDP

6 Replies

Bram - January 2026 Featured Member

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

F5OS VLAN naming length restrictions

How can I measure Advanced WAF (ASM) throughput on a running BIG-IP VE (per VIP / per policy)?

Maintenance page / local website that includes subfolders

VIPRION B2250 to VELOS CX410 and BIG-IPr10900 migration

Raise your hand if you'll be at AppWorld 2026

Related Content

Secure Access to Web Applications with F5 and Okta using SAML 2.0 (1 of 2)

Secure Access to Web Applications with F5 and Okta using SAML 2.0 (2 of 2)

decrypted tcpdump capture without using an iRule and without using tshark

OAuth 2.0 Dynamic Client Registration

Social Login to Enterprise Apps using BIG-IP & OAuth 2.0

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS