Using F5 as a Service Provider with Okta IdP

ecohler · ‎10-Aug-2022

I've read part 1 and 2 of this article for how to connect F5 as a service provider to Okta:

Secure Access to Web Applications with F5 and Okta... - DevCentral

However, it doesn't provide instructions for how to get the Single sign on URL and the Audience URI for the app, and I also can't find an article for how to connect F5 to the application to pass the header or kerberos auth to. Could someone help me? I'm basically looking for what information I'll need to retrieve and give to the owners of the systems using legacy auth in order to connect those systems to F5 to use Okta auth with them.

JoshBecigneul · ‎10-Aug-2022

Hi @ecohler,

So in this case the Audience URI and the Single sign on URL would be based on the DNS hostname for the VIP your access policy is attached to, meaning: the way that Okta would communicate with the SP and what appears in your browser.

In the BIG-IP interface, the Audience URI is the same as the Entity ID field from the SAML SP Service editor, in the General Settings section.

The Single Sign-on URL is a combination of the Audience URI, followed by the URL path /saml/sp/profile/post/acs. This is also called the Assertion Consumer Service URL. The path should always be the same, but the hostname would change for each unique service provider/application. Example: https://sp.example.com/saml/sp/profile/post/acs.

In the linked guide you can see in the example that their Audience (SP Entity ID) is https://app.f5sec.net, and the Single Sign-on URL is https://app.f5sec.net/saml/sp/profile/post/acs.

Hope this helps,
Josh

Leslie_Hubertus · ‎22-Aug-2022

@ecohler - were you able to work with the advice from @JoshBecigneul ? If yes, don't forget to click the button on his comment to Accept as Solution so that anyone else looking for an answer to the same problem can easily find the solution. 🙂