SAML – Client versus Server Authentication with F5 APM

As organizations start to utilize Software as a Service (SaaS) the concern on how to authenticate users becomes a critical security issue. Many organizations look to federated authentication mechanisms, such as SAML, to help address this security risk. The benefits of using SAML are that user credentials are not replicated across each vendor cloud instance and that it greatly simplifies user management. However, not all applications will be migrated to the cloud due to limitations or security concerns. So when you start adopting SAML what happens to the applications that are left in your data centers.

Many of the customers I work with adopt SAML as an authentication platform for both internal and cloud base solutions. The road block I typically run into here is that they try to implement SAML on all service - this is a "square peg in a round hole" approach. While many commercial applications and programming frameworks are started to support SAML the need to implement SAML on the backend servers is not always necessary.

In my view, SAML works great as a client-side authentication mechanism for self hosted applications but does not always "fit the bill" on a server-side authentication. When you use the F5 BIG-IP to provide Single Sign-on service to your internal applications you have several server-side authentication options to choose from: HTTP basic, form, NTLM and Kerberos to name a few. In certain situations these authentication options are much easier to maintain and implement across a large number of applications.

When using SAML for authentication the IdP provides an assertion to prove the user's identity. In this situation the F5 does not have the user's password so HTTP Basic, HTTP form and NTLM authenticate are not possible - this is ideal in security conscious environments because sensitive credentials are not being passed around. However, the F5 can convert the SAML assertion into a token and use Kerberos Constrained Delegation to authenticate the user to the backend web server. A huge benefit to this model is that it scales very well with a large number of applications because most web servers supports Kerberos authentication and you do not have to create one-off APM SSO profiles for each application.

In conclusion, F5 BIG-IP provides organizations the ability to authenticate users securely to services whether in the cloud or in your data center. The important thing to consider when designing your authentication solution is to examine all authentication option available to you and stop trying to squeeze the square peg into the round hole.

Published Jul 03, 2014
Version 1.0
  • Cody, Can you point me to any books, articles, etc., re: the best practices for authentication in general? Thx
  • I am looking for a way to authenticate external clients using SAML or Certificate based Auth and then be able to automatically authenticate them to applications that only support NTLM. Based on all the reading that I have done so far that is not possible as the user password seems to be a must to be able to perform NTLM auth, but I wanted to bring up the question anyway to see if there is something I am not aware of to address this scenario. Thanks.