Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

F5 APM SAML SSO

Stanislas_Piron
Nimbostratus
Nimbostratus

‎01-Mar-2017 05:34

Hi,

 

I am deploying a POC with F5 APM as reverse proxy and I have to publish internal resources configure with SAML auth.

 

I did not find any configuration how to configure it.

 

when I try to configure SAML SSO (in SSO menu, not SAML one), it create local IdP.

 

I do not want to create a SAML IdP but to authenticate user against existing SAML IdP.

 

Is it supported or have I to request customer to change internal authentication method?

 

Regards,

 

Stanislas

 

Labels:
0 Kudos
7 REPLIES 7

FI_2016_187929
Nimbostratus
Nimbostratus

‎01-Mar-2017 06:56

Are you trying to configure F5 APM as the Service Provider? You can configure this by Access Policy - SAML - BIG-IP as SP.

 

This article provides more information: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-o...

 

0 Kudos

Stanislas_Piro2
Cumulonimbus
Cumulonimbus
In response to FI_2016_187929

‎01-Mar-2017 08:35

Hi,

 

No, internal server (URL : ) is already configured with SAML auth with ADFS.

 

I now have to configure APM authentication (URL : https://myapp.comany.com, with ADFS auth too), then request a SAML token to ADFS for internal resource (URL : )

 

0 Kudos

KeesvandenBos
MVP
MVP
In response to FI_2016_187929

‎14-Apr-2017 04:55

Hi Stanislas,

 

Did you manage to figure out if SSO SAML is working as expected?? (so APM is requesting SAML token an behave of an authenticated user for a SP)

 

Cheers,

 

Kees

 

0 Kudos

Stanislas_Piro2
Cumulonimbus
Cumulonimbus
In response to FI_2016_187929

‎14-Apr-2017 05:15

Hi,

 

No, the customer changed the authentication method on the internal server from SAML to kerberos..

 

So Now users authenticate with SAML on APM and SSO is set to kerberos.

 

0 Kudos

KeesvandenBos
MVP
MVP
In response to FI_2016_187929

‎14-Apr-2017 05:29

Hi,

 

That is unfortunate. My customer has a sharepoint site behind a APM with user/pw login on the APM where the sharepoint site does saml auth. When the access session time's out and a different user uses the browser (without closing it) they are authenticated in sharepoint as the previous user. (with the sharepoint auth cookie) (APM is not aware of the SAML auth to sharepoint)

 

Kees

 

0 Kudos

Stanislas_Piro2
Cumulonimbus
Cumulonimbus
In response to FI_2016_187929

‎14-Apr-2017 06:01

Hi,

 

to remove previous session cookie, you can use this code (change the sharepoint cookie name):

 

when ACCESS_SESSION_STARTED { if { [HTTP::cookie exists sharepointcookie] } { ACCESS::session data set session.server.landinguri "/vdesk/cleanupCookie?url=[b64encode [ACCESS::session data get session.server.landinguri]]" } } when ACCESS_ACL_ALLOWED { switch -glob [string tolower [HTTP::path]] { "/vdesk/cleanupCookie" { ACCESS::respond 302 noserver Location [b64decode [URI::query [HTTP::uri] url]] "Set-Cookie" "sharepointcookie=deleted; expires=Thu, 01 Jan 1970 00:00:00 GMT;path=/;secure" } } }
0 Kudos

KeesvandenBos
MVP
MVP
In response to FI_2016_187929

‎16-Apr-2017 03:21

Thanx,

 

But I have one other question about is, there are two or more authenticated websites behind the same access policy, how can I do the same trick for all of them?

 

Cheers,

 

Kees

 

0 Kudos
Copyright © 2022 Khoros, LLC