Showing results for 
Search instead for 
Did you mean: 

F5 APM SAML with Safenet and SharePoint




We have a requirement to use F5 APM as SP to authenticate users from external IDP (Safenet in this case) and then users shall get redirected to sharepoint application without the need to login again (SSO).


In this scenario, we configured f5 as service provider and Safenet as an external identity provider. and sharepoint servers as a pool under the virtual server which has the access profile.


How is it possible that F5 can pass the assertion that it received from exertnal idp correctly to the sharepoint servers to perform the SSO ?


Currently, the sharepoint servers are supporting SAML V1.1 not SAML V2.





The SAML assertion is consumed by the SP. In you situation I'd rather perform a Kerberos authentication via SSO Kerberos Profile on the Sharepoint at the backend.


I thing this is the easies approach unless there is a technical constraint in your environment.


Let me know



Hi Yoann


How can we achieve Kerberos SSO between F5 and Sharepoint in this case ? Do we need to configure Kerberos on Safenet (the external IDP) as well or no ?On F5 APM, there are few details required like SPN, account name, password, kerberos realm, KDC, these details should be retrieved IDP through SAML Assertion or how ? Is there a document explains this ?



Kerberos SSO is Constrained Delegation. Here is a guide on configuring it:

Hi Dave


In the document, the integration is between F5 and AD which is KDC server. In our scenario, there is no AD. It is F5 as SAML SP and Safenet/Gamealto as SAML IDP. Does it mean in this case, the safenet will be the KDC server ?

Hello, that depends, but if the site supports Kerberos I would assume there is a KDC that supports it somewhere in this environment. Keep in mind that the Kerberos SSO in APM was designed with MS AD in mind so whatever KDC is present may work, but will need to mimic the AD Kerberos implementation.