cancel
Showing results for 
Search instead for 
Did you mean: 

F5 APM SAML with Safenet and SharePoint

SASA1
Nimbostratus
Nimbostratus

Hello

 

We have a requirement to use F5 APM as SP to authenticate users from external IDP (Safenet in this case) and then users shall get redirected to sharepoint application without the need to login again (SSO).

 

In this scenario, we configured f5 as service provider and Safenet as an external identity provider. and sharepoint servers as a pool under the virtual server which has the access profile.

 

How is it possible that F5 can pass the assertion that it received from exertnal idp correctly to the sharepoint servers to perform the SSO ?

 

Currently, the sharepoint servers are supporting SAML V1.1 not SAML V2.

5 REPLIES 5

Yoann_Le_Corvi1
Cumulonimbus
Cumulonimbus

Hello,

 

The SAML assertion is consumed by the SP. In you situation I'd rather perform a Kerberos authentication via SSO Kerberos Profile on the Sharepoint at the backend.

 

I thing this is the easies approach unless there is a technical constraint in your environment.

 

Let me know

 

Yoann

Hi Yoann

 

How can we achieve Kerberos SSO between F5 and Sharepoint in this case ? Do we need to configure Kerberos on Safenet (the external IDP) as well or no ?On F5 APM, there are few details required like SPN, account name, password, kerberos realm, KDC, these details should be retrieved IDP through SAML Assertion or how ? Is there a document explains this ?

Hello,

 

Kerberos SSO is Constrained Delegation. Here is a guide on configuring it:

 

https://www.f5.com/pdf/deployment-guides/kerberos-constrained-delegation-dg.pdf

Hi Dave

 

In the document, the integration is between F5 and AD which is KDC server. In our scenario, there is no AD. It is F5 as SAML SP and Safenet/Gamealto as SAML IDP. Does it mean in this case, the safenet will be the KDC server ?

Hello, that depends, but if the site supports Kerberos I would assume there is a KDC that supports it somewhere in this environment. Keep in mind that the Kerberos SSO in APM was designed with MS AD in mind so whatever KDC is present may work, but will need to mimic the AD Kerberos implementation.