Forum Discussion

Rusty_M_140798's avatar
Rusty_M_140798
Icon for Nimbostratus rankNimbostratus
Sep 23, 2016

Using SAML for login vs F5 Login Page, but need the password for SSO profiles

I have a scenario where we are using SAML as our first point vs a F5 login page, see APM policy below.     The way this works is the user is re-directed to our SAML provider for authentica...
BIG-IP Access Policy Manager (APM)
security
Michael_Koyfma1's avatar
Michael_Koyfma1
Icon for Cirrus rankCirrus

Well, yes, SAML and the whole concept of federation are meant to reduce the need for passwords, but your use case, unfortunately, is still valid, as not all applications can use SAML. In your case there are three options:

 

  1. If backend application supports Kerberos for authentication, you can leverage Kerberos Constrained Delegation to perform passwordless SSO
  2. If the application supports the ability to extract user identity from a header, you might be able to modify it to trust the username from the header that APM would insert after authenticating the user
  3. You can use a SAML IDP(and F5 is one of very few, if not the only one that I can do it) which will allow you to pass the password as the attribute in the SAML assertion. It is secure because you would encrypt that attribute and thus only SP will be able to decrypt it and use it for SSO.
Rusty_M_140798's avatar
Rusty_M_140798
Icon for Nimbostratus rankNimbostratus
Sep 23, 2016

Thanks Michael!

 

Can you clarify 3? I think you are referring to using F5 as the IDP vs a redirect to the actual SAML sever/SP. If that is the case I believe you have to use the F5 login page which is what we are trying to avoid. By using the page users that are on network would have to login vs being auto logged in as they are on a trusted network and trusted device.