cancel
Showing results for 
Search instead for 
Did you mean: 

Using F5 as a Service Provider with Okta IdP

ecohler
Nimbostratus
Nimbostratus

I've read part 1 and 2 of this article for how to connect F5 as a service provider to Okta:

Secure Access to Web Applications with F5 and Okta... - DevCentral

However, it doesn't provide instructions for how to get the Single sign on URL and the Audience URI for the app, and I also can't find an article for how to connect F5 to the application to pass the header or kerberos auth to. Could someone help me? I'm basically looking for what information I'll need to retrieve and give to the owners of the systems using legacy auth in order to connect those systems to F5 to use Okta auth with them.

2 REPLIES 2

Hi @ecohler,

So in this case the Audience URI and the Single sign on URL would be based on the DNS hostname for the VIP your access policy is attached to, meaning: the way that Okta would communicate with the SP and what appears in your browser.

In the BIG-IP interface, the Audience URI is the same as the Entity ID field from the SAML SP Service editor, in the General Settings section. 

JoshBecigneul_1-1660181678944.png

The Single Sign-on URL is a combination of the Audience URI, followed by the URL path /saml/sp/profile/post/acs. This is also called the Assertion Consumer Service URL. The path should always be the same, but the hostname would change for each unique service provider/application. Example: https://sp.example.com/saml/sp/profile/post/acs

In the linked guide you can see in the example that their Audience (SP Entity ID) is https://app.f5sec.net, and the Single Sign-on URL is https://app.f5sec.net/saml/sp/profile/post/acs

Hope this helps,
Josh

Leslie_Hubertus
Community Manager
Community Manager

 @ecohler  - were you able to work with the advice from @JoshBecigneul ? If yes, don't forget to click the button on his comment to Accept as Solution so that anyone else looking for an answer to the same problem can easily find the solution. 🙂