Technical Articles
F5 SMEs share good practice.
Showing results for 
Search instead for 
Did you mean: 
F5 Employee
F5 Employee

SAML is a federation protocol used to authenticate users.

F5 Distributed Cloud does not yet offer such a solution natively, but thanks to F5 portfolio, it is easy to deploy NGINX in F5 XC and enable SAML as Service Provider.

To do so, we need:

  • A F5 Distributed Cloud tenant
  • A F5 Distributed Cloud vk8s
  • A NGINX Plus subscription (license)
  • The NGINX Plus SAML module :
  • An SAML IDP - in our demo, we will use the Corporate F5 Azure AD


This is the architecture





Create the NGINX Plus docker image

In order to run NGINX Plus in vK8S, NGINX Plus needs to be built as Unprivileged. The NGINX daemon requires it to run as root, but this is not allowed in vK8S.

You can find the GitHub repo with the Dockerfile and steps here :

When the image is created, upload it to a PRIVATE repository. NGINX Plus is not free, so don't push the image into a public repo. In our demo, we will use Azure Container Registry (ACR).


First of all, create a vK8S in your Namespace. Then create a F5 Distributed Cloud Container Registry (with Azure ACR, it is pretty easy - copy and paste the ACR hostname, username and password)


Great article @Matt_Dierick . Another good question is if you can send traffic to a not public application without public ip address that is connected with a CE Edge using Nginx on RE as using Nginx on CE with vK8s will solve this but I wonder if there is a way to use the NGINX on the RE and then forward traffic to the CE Edge.

Maybe if an LB is created on the local CE node and NGINX has in the server farm the LB ip address that on the CE but I never tested this if traffic will be forwarded from the RE to the CE using the IPsec tunnel.

F5 Employee
F5 Employee

@Nikoolayy1 I'm almost 99,9999% sure we can do it as the N+ in vk8s has access to the F5XC internal DNS to resolve the internal LB exposed on the CE.

@Matt_Dierick  I can confirm that you are right as just the LB that is going to connect the backend app through the CE tunnel to the NGINX on the RE needs to advertised to the kubernetes on the RE as shown in f5devcentral/xchacedemoguide ( and then the NGINX will use the internal kubernetes DNS with the LB domain name.

Version history
Last update:
‎12-Jun-2023 08:27
Updated by: