I've read part 1 and 2 of this article for how to connect F5 as a service provider to Okta:
However, it doesn't provide instructions for how to get the Single sign on URL and the Audience URI for the app, and I also can't find an article for how to connect F5 to the application to pass the header or kerberos auth to. Could someone help me? I'm basically looking for what information I'll need to retrieve and give to the owners of the systems using legacy auth in order to connect those systems to F5 to use Okta auth with them.
So in this case the Audience URI and the Single sign on URL would be based on the DNS hostname for the VIP your access policy is attached to, meaning: the way that Okta would communicate with the SP and what appears in your browser.
In the BIG-IP interface, the Audience URI is the same as the Entity ID field from the SAML SP Service editor, in the General Settings section.
The Single Sign-on URL is a combination of the Audience URI, followed by the URL path /saml/sp/profile/post/acs. This is also called the Assertion Consumer Service URL. The path should always be the same, but the hostname would change for each unique service provider/application. Example: https://sp.example.com/saml/sp/profile/post/acs.
Hope this helps,