Graham_Alderso1's avatar
Graham_Alderso1
Ret. Employee
May 16, 2018

Yes. That will work.

 

You should probably pick one of the DNS names to be the one used by the SP in its SAML configuration (webapp1.domain.com or webapp2.domain.com). So no matter what name is used to get to the SP, the one you picked in the SAML config is the one the user will be returned to after auth at the IdP. An alternative option if you must have the user returned to the same DNS name is that you could detect the DNS name, branch in the APM config, and have a different SAML Auth object for each DNS name (and related config).

 

You'll want to reference the manual for APM as SP and APM as IdP specific to the version you run. There are two ways to deploy APM as IdP, with webtop and one without. With webtop is required if you'll have multiple SPs, but not if you will only have one and want to limit it to ONLY SP initiated auth (meaning you can't go to the IdP first). The article above is about how to deploy with webtop, but have the SAML object autolaunch so the user doesn't see the webtop, which is different.

 

This guide will help you on the Kerberos setup: https://f5.com/solutions/deployment-guides/kerberos-constrained-delegation-big-ip-v11-v12-apm

 

Note that it shows client cert auth on the client side and you're using SAML instead, but the setup of the Kerberos Constrained Delegation is the same.

 

If you need to seek more help, I suggest opening a new thread since this is out of scope for the article above and won't get the same level of notice/attention.