Forum Discussion

Rusty_M_140798's avatar
Rusty_M_140798
Icon for Nimbostratus rankNimbostratus
Sep 23, 2016

Using SAML for login vs F5 Login Page, but need the password for SSO profiles

I have a scenario where we are using SAML as our first point vs a F5 login page, see APM policy below.     The way this works is the user is re-directed to our SAML provider for authentica...
BIG-IP Access Policy Manager (APM)
security
Michael_Koyfma1's avatar
Michael_Koyfma1
Icon for Cirrus rankCirrus

Well, yes, SAML and the whole concept of federation are meant to reduce the need for passwords, but your use case, unfortunately, is still valid, as not all applications can use SAML. In your case there are three options:

 

  1. If backend application supports Kerberos for authentication, you can leverage Kerberos Constrained Delegation to perform passwordless SSO
  2. If the application supports the ability to extract user identity from a header, you might be able to modify it to trust the username from the header that APM would insert after authenticating the user
  3. You can use a SAML IDP(and F5 is one of very few, if not the only one that I can do it) which will allow you to pass the password as the attribute in the SAML assertion. It is secure because you would encrypt that attribute and thus only SP will be able to decrypt it and use it for SSO.
Michael_Koyfma1's avatar
Michael_Koyfma1
Icon for Cirrus rankCirrus
Sep 23, 2016

No, I was saying that if F5 was an IDP(F5 can perform both roles - IDP and SP), then it could take user's password and securely encrypt it and pass to another SP as an attribute in the SAML assertion. The question is whether you control IDP or not - if IDP you're using is within your domain of control, you can consider whether you can deploy F5 in the IDP role instead of what you're using to accomplish your SSO goal.