We use APM for our SSLVPN Service. Some users just use the VPN client, whilst others use a combination of VPN and Webtop to access services such as RDS and Citrix that we've integrated into APM.
We're in the process of migrating over to SAML authentication for the access policy which provides SSO and MFA capacility via AzureAD. The one downside is that we don't have user credentials to pass to the integrated RDS/Citrix.
We've implemented a workaround which works but is still clunky. At present the SSO/MFA process completes, they are then prompted to enter their password which is then avialable for RDS/Citrix.
Whilst this is a much improved experience that the prevsious setup, we'd ideally like to be able to only as for the user's password if they click RDS/Citrix icons on the webtop. This would mean that the VPN users are SSO's without interuption.
I've looked at step-up authentication but can't figure out if it's possible to achieve this as part of the interation with the webtop. My other thought was to create a link on the webtop to open a specific URL which would be caught by a per-request policy which would run the logon box, set a session variable which would be tied to the advanced resource assign for Citrix/RDP.
Does anyone know if it's possible to achieve such functionality?
Even though there is no password exchange in SAML between IdP and SP, there is a chance to configure a ad-hoc setup where IdP injects the password encrypted just for legacy SSO purposes.
Another option for SSO is to configure SAML Auth in the front side and also in the server side, because the same assertion could be used by both authentication steps.
For more info, check "Table 3.1 Client-side and server-side authentication method support matrix"
REF - https://support.f5.com/csp/article/K08200035
Where the article states:
"1. BIG-IP APM can function as a SAML identity provider (IdP) and a service provider (SP). As an SP, the client generally authenticates at the IdP. Therefore, the SP does not have access to users’ credentials.
However, it is possible for the IdP to encrypt and transmit those validated credentials in the standard SAML assertion or in a separate artifact communication. In this way a BIG-IP APM SAML SP could perform server-side authentication functions requiring a password.
Also, when the BIG-IP APM is the IdP but the SP authentication request originates from an external source, such as a custom portal instead of the BIG-IP APM built-in webtop, the system generates a SAML assertion on-the-fly to automatically sign in the user. For more information, refer to Identity federation."