Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

F5 APM SAML with Safenet and SharePoint

SASA1
Nimbostratus
Nimbostratus

‎11-Feb-2020 03:20

Hello

 

We have a requirement to use F5 APM as SP to authenticate users from external IDP (Safenet in this case) and then users shall get redirected to sharepoint application without the need to login again (SSO).

 

In this scenario, we configured f5 as service provider and Safenet as an external identity provider. and sharepoint servers as a pool under the virtual server which has the access profile.

 

How is it possible that F5 can pass the assertion that it received from exertnal idp correctly to the sharepoint servers to perform the SSO ?

 

Currently, the sharepoint servers are supporting SAML V1.1 not SAML V2.

Labels:
0 Kudos
5 REPLIES 5

Yoann_Le_Corvi1
Cumulonimbus
Cumulonimbus

‎14-Feb-2020 07:35

Hello,

 

The SAML assertion is consumed by the SP. In you situation I'd rather perform a Kerberos authentication via SSO Kerberos Profile on the Sharepoint at the backend.

 

I thing this is the easies approach unless there is a technical constraint in your environment.

 

Let me know

 

Yoann

0 Kudos

SASA1
Nimbostratus
Nimbostratus
In response to Yoann_Le_Corvi1

‎17-Feb-2020 04:27

Hi Yoann

 

How can we achieve Kerberos SSO between F5 and Sharepoint in this case ? Do we need to configure Kerberos on Safenet (the external IDP) as well or no ?On F5 APM, there are few details required like SPN, account name, password, kerberos realm, KDC, these details should be retrieved IDP through SAML Assertion or how ? Is there a document explains this ?

0 Kudos

Dave_W
F5 Employee
F5 Employee
In response to SASA1

‎17-Feb-2020 09:52

Hello,

 

Kerberos SSO is Constrained Delegation. Here is a guide on configuring it:

 

https://www.f5.com/pdf/deployment-guides/kerberos-constrained-delegation-dg.pdf

0 Kudos

SASA1
Nimbostratus
Nimbostratus
In response to SASA1

‎17-Feb-2020 13:35

Hi Dave

 

In the document, the integration is between F5 and AD which is KDC server. In our scenario, there is no AD. It is F5 as SAML SP and Safenet/Gamealto as SAML IDP. Does it mean in this case, the safenet will be the KDC server ?

0 Kudos

Dave_W
F5 Employee
F5 Employee
In response to SASA1

‎25-Feb-2020 07:33

Hello, that depends, but if the site supports Kerberos I would assume there is a KDC that supports it somewhere in this environment. Keep in mind that the Kerberos SSO in APM was designed with MS AD in mind so whatever KDC is present may work, but will need to mimic the AD Kerberos implementation.

0 Kudos
Copyright © 2022 Khoros, LLC