Thanks for the info. To clarify, I do not wish to continue using username and pass. We are testing AzureAD as our IDP and the F5 as the SP (which is working) but we are having issues authenticating to our Citrix storefront. You cannot pass the password from AzureAD as a SAML attribute ( and I would never want to hand around a pw in a SAML attribute anyways)
I would think that I would have to do a Kerb or another SAML which I have tried but I cannot seem to get this to work. Looking for someone who has this working in their environment.