F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

SURFsecureID Second Factor Only (SFO) Authentication

Problem this snippet solves: Second Factor Only authentication allows a SP to authenticate only the second factor of a user. With SFO you can add two factor authentication to your institutions appli...

Updated Jun 05, 2023

Version 2.0

SURFconext_SFO_v12 KB

BIG-IP Access Policy Manager (APM)

Niels_van_Sluis

MVP

Joined May 15, 2019

View Profile

Niels_van_Sluis

MVP

Jan 30, 2018

The frontend virtual server is kind of a wrapper for the virtual server that holds the actual access policy. The reason why this extra virtual server is needed has to do with the internal working of the SAML process that is performed by the access policy. This process will not trigger the HTTP_RESPONSE iRule event, which makes it impossible to intercept and alter the SAML request. However when using this layered virtual server structure, the frontend virtual server that is logically between the backend virtual server and the IDP will trigger the HTTP_RESPONSE iRule event and makes it possible to intercept and alter the SAML request.

I hope this clarifies the need for an extra virtual server.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)

F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

SURFsecureID Second Factor Only (SFO) Authentication

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS