Forum Discussion
Using SAML for login vs F5 Login Page, but need the password for SSO profiles
Well, yes, SAML and the whole concept of federation are meant to reduce the need for passwords, but your use case, unfortunately, is still valid, as not all applications can use SAML. In your case there are three options:
- If backend application supports Kerberos for authentication, you can leverage Kerberos Constrained Delegation to perform passwordless SSO
- If the application supports the ability to extract user identity from a header, you might be able to modify it to trust the username from the header that APM would insert after authenticating the user
- You can use a SAML IDP(and F5 is one of very few, if not the only one that I can do it) which will allow you to pass the password as the attribute in the SAML assertion. It is secure because you would encrypt that attribute and thus only SP will be able to decrypt it and use it for SSO.
- Rusty_M_140798Sep 23, 2016Nimbostratus
Thanks Michael!
Can you clarify 3? I think you are referring to using F5 as the IDP vs a redirect to the actual SAML sever/SP. If that is the case I believe you have to use the F5 login page which is what we are trying to avoid. By using the page users that are on network would have to login vs being auto logged in as they are on a trusted network and trusted device.
- Michael_KoyfmanSep 23, 2016Cirrocumulus
No, I was saying that if F5 was an IDP(F5 can perform both roles - IDP and SP), then it could take user's password and securely encrypt it and pass to another SP as an attribute in the SAML assertion. The question is whether you control IDP or not - if IDP you're using is within your domain of control, you can consider whether you can deploy F5 in the IDP role instead of what you're using to accomplish your SSO goal.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com