cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

F5 SAML as IdP - Architecture Question

Luis_Melendrez
Nimbostratus
Nimbostratus

In the case the F5 being the IdP for any cloud applications, user's request located on the cloud/internet can be redirected to edge F5 IdP that is facing the internet for authentication (usually this is a public IP address). This is understandable but from the architecture point of view, what is the best practice for the internal users located inside the company network? Do they need to be redirected to F5 located at the edge? Do they need tp resolve to that edge F5 public IP? or how the internal requests are handle when the F5 is acting as IdP for those cloud solutions (Office 365, etc)

 

Thanks

1 REPLY 1

AlexBCT
MVP
MVP

Hi Luis,

 

Here is my two cents;

  • The IdP will normally be configured (especially for public applications) using a FQDN. As such, wherever the client resolves the FQDN to, will be the IdP from the client's perspective. This means that technically, if you resolve the DNS entry differently for external and internal users, you could have an IdP on two different IP's.
  • I don't think there is a technical limitation to having multiple different IdP's and having them operate as one, but all scenarios I have worked with, it's always been 1 IdP per organisation per application and I wouldn't recommend having more than one IdP per organisation per application.
  • Different applications within the same organisation could be a different story - again, not common, but more likely. As the IdP is configured on an per-SP basis, you could point SP1 to IdP1 and SP2 to IdP2.
  • If it was up to me, and the IdP is already at the edge and serving up responses for external clients, I would probably let my internal users connect to the same IdP with the same IP to give a clear single entrypoint for any IdP traffic and it means I only have to monitor and control this one IdP and entrypoint.
  • I would probably also use this one single IdP for all SP's that I have control over. This will greatly improve session control, SingleLogin and SingleLogout capabilities and centralized management overall.

 

Hope this helps.