Forum Discussion
SAML Auth with logon page
Hi,
We are planning to implement a SAML auth setup for our application on APM where F5 acts as SAML SP and Okta acts as external IDP. I have set up an access policy like Start-->SAML Auth --> On successful authentication against external IDP, allow access to resources and works fine.
But, if I add a logon page before SAML auth to collect the credentials and then pass them to SAML auth, external IDP (Okta) is again asking for credentials.
Start-->Logon Page (takes credentials) --> SAML auth (which should take the credentials entered in Logon Page and do a SAML authentication against external IDP) On successful authentication against external IDP, allow access to resources.
Could anyone please let me know why placing a logon page before SAML auth is not working?
Thanks, NR
Hello,
You can't pass attributes in SAMLRequest. You can do it only for SAML Assertion from IDP to SP.
If you insert a logon page before SAML Auth, it should be to achieve the process of IDP discovery ("Bindings" in APM). For example, you can prompt the user to set it's email address so that you can redirect the user to the IDP he belongs to by processing the domain part of the email.
Yann
I also would like to understand the rationale/requirement of doing a Logon page on APM vs using Okta's logon page - can you please share why you're looking to set it up this way?
- Neeharika_Redd1Nimbostratus
We are looking at placing a custom logon page for our applications (which are going to be on Okta SSO), where Okta logon page cannot be customized in the way we wanted. So, the requirement is that, we display our custom logon page where the user enters his credentials and then SAML auth happens (authenticates this user against Okta) and let the user access application.
Hello,
The normal way is to prompt credentials to the user on the IDP only. Then, the IDP can forward creds within a secured (encrypted) SAML assertion.
I think that the expected scenario you described is more or less unsecure.
But you are free to implement your way
If Okta SSO login page doesn't fit user experience expectations, you can publish Okta login page through F5 LTM and override content using irule
- Neeharika_Redd1Nimbostratus
Hi Yann,
Could you please let us know how do we achieve this - "publish Okta login page through F5 LTM"? I'm new to SAML auth, and would be great if we can get more info.
- chion_15356Nimbostratus
Hi,
We too are trying to use Okta as the IDP to access a resource via the APM. Can you let me know if you got this working?
- Neeharika_Redd1NimbostratusSure Chion!
- chion_15356Nimbostratus
Thanks for the reply. Are your backend resources authenticating via Kerberos? In other words, once you are authenticated via SAML, how are you providing access to your backend resources. Thanks in advance.
- Hi Choin & Neeharika - Can either of you share any links to documents used for getting Okta IDP working with the F5 APM, or what general resources did you use? Thanks!
- chion_15356Nimbostratus
Unfortunately, there were no reference material, just good ole trial and error...Here is some steps we went through. Just keep in mind that you need to use Kerberos for your backend authentication. Good luck.
SAML with OKTA 1. Create a new URL to be used. (e.g. https://host.domain.com/sp) 2. Configure the DNS record 3. OKTA side: Configure OKTA setting and export metadata 4. On F5, go to Access Policy | SAML | BigIP as SP, and create a new iDP object using the metadata from step 3 5. Browse for the Metadata file and select a name (something descriptive to what service it will be used for; e.g., OKTA_SERVICE-iDP) 6. Under the Assertion settings, change the Identity Locations to “Attribute” and type in “upn” 7. Once created, go to Access Policy | SAML | BigIP as SP and for Local SP Service click Create 8. Select a name for the SP Service (something descriptive to what service it will be used for; e.g., OKTA_SERVICE-SP). For the Enitiy ID, enter the URL provided in step 1 above (https://host.domain.com/sp) 9. After creating the Local SP Service, highlight the SP service just created and select “Bind/Unbind iDP connector” 10. Click “Add New Row”, and choose the SAML IdP Connector and choose update
- Will another authentication type just not work based on what you tested? Is it documented anywhere that you have to use Kerberos? AD won't work?
- Cody_Green_1030Historic F5 AccountYou have to use Kerberos due to the fact that APM does not have the user's password and therefor can't perform Forms, Basic or NTLM authentication.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com