The way F5 as Full Proxy is installed allow to have flexible deployments with multiple components, at a point BIG-IP APM acts on its own as both PDP and PEP. Also, F5 APM can act as PEP and rely on different Identity Providers as a decision point (PDP).
F5 deployment guide presents two main use cases when intergating with PingIdentity,
Horizontal Scaling and offloading PingAccess Agent functionality to BIG-IP APM.
PingIdentity as Identity Provider and BIG-IP APM as Service Provider.
Horizontal Scaling and offloading PingAccess Agent functionality to BIG-IP APM
BIG-IP APM allows the distribution of application access requests to multiple PingAccess nodes depending on constraints and availability.
The client requests access to a protected resource.
BIG-IP APM built-in PingAccess agent functionality requests a decision from PingAccess policy server.
PingAccess checks the URL policy and determines that the requested resource is protected. It then responds to BIG-IP APM indicating that the user should be redirected to PingFederate for authentication.
BIG-IP APM redirects the user to PingFederate. After successful authentication, the user is redirected to BIG-IP APM with a PingFederate token.
BIG-IP APM passes the PingFederate token to PingAccess, which validates the PingFederate response and provides BIG-IP APM with the decision to allow or deny access to the resource.
The decision comes with an expiration and will be cached in BIG-IP APM which enforces the decision until its expiration.
PingIdentity as Identity Provider and BIG-IP APM as Service Provider
BIG-IP APM acts as Service provider and PingIdentity the Identity provider. BIG-IP APM gives support to modern and legacy authentication systems which allows for robust Single Sign-On (SSO) integration with on-premises and cloud-based identity providers and supports Virtual Desktop Infrastructure (VDI).
Build SAML trust between BIG-IP APM and PingFederate.
User requests access to the protected web resource through BIG-IP APM.
BIG-IP APM redirects user browser to PingFederate for Authentication.
User's browser is redirected back to BIG-IP APM with assertion response.
BIG-IP APM validates the assertion and allow access.
If SSO is used (for example Kerberos), BIG-IP APM use kerberos delegation with information obtained from sesssion's variables for SSO.
Once successfull, the user is allowed to access the protected resource.