SAML Auth with logon page

Hello,

You can't pass attributes in SAMLRequest. You can do it only for SAML Assertion from IDP to SP.

If you insert a logon page before SAML Auth, it should be to achieve the process of IDP discovery ("Bindings" in APM). For example, you can prompt the user to set it's email address so that you can redirect the user to the IDP he belongs to by processing the domain part of the email.

Yann

I also would like to understand the rationale/requirement of doing a Logon page on APM vs using Okta's logon page - can you please share why you're looking to set it up this way?

We are looking at placing a custom logon page for our applications (which are going to be on Okta SSO), where Okta logon page cannot be customized in the way we wanted. So, the requirement is that, we display our custom logon page where the user enters his credentials and then SAML auth happens (authenticates this user against Okta) and let the user access application.

Hello,

The normal way is to prompt credentials to the user on the IDP only. Then, the IDP can forward creds within a secured (encrypted) SAML assertion.

I think that the expected scenario you described is more or less unsecure.

But you are free to implement your way

If Okta SSO login page doesn't fit user experience expectations, you can publish Okta login page through F5 LTM and override content using irule

Hi Yann,

Could you please let us know how do we achieve this - "publish Okta login page through F5 LTM"? I'm new to SAML auth, and would be great if we can get more info.

Hi,

We too are trying to use Okta as the IDP to access a resource via the APM. Can you let me know if you got this working?

Thanks for the reply. Are your backend resources authenticating via Kerberos? In other words, once you are authenticated via SAML, how are you providing access to your backend resources. Thanks in advance.

Unfortunately, there were no reference material, just good ole trial and error...Here is some steps we went through. Just keep in mind that you need to use Kerberos for your backend authentication. Good luck.

SAML with OKTA 1. Create a new URL to be used. (e.g. https://host.domain.com/sp) 2. Configure the DNS record 3. OKTA side: Configure OKTA setting and export metadata 4. On F5, go to Access Policy | SAML | BigIP as SP, and create a new iDP object using the metadata from step 3 5. Browse for the Metadata file and select a name (something descriptive to what service it will be used for; e.g., OKTA_SERVICE-iDP) 6. Under the Assertion settings, change the Identity Locations to “Attribute” and type in “upn” 7. Once created, go to Access Policy | SAML | BigIP as SP and for Local SP Service click Create 8. Select a name for the SP Service (something descriptive to what service it will be used for; e.g., OKTA_SERVICE-SP). For the Enitiy ID, enter the URL provided in step 1 above (https://host.domain.com/sp) 9. After creating the Local SP Service, highlight the SP service just created and select “Bind/Unbind iDP connector” 10. Click “Add New Row”, and choose the SAML IdP Connector and choose update