apm sso saml oauth
3 TopicsF5APM SSO SAML OAUTH
I am trying to integrate F5 APM with Citrix. Setup: F5 APM SAML SP Azure AD SAML IDP SSO to Citrix Issue: New Citrix version don't support Kerberos token, so after the successful SAML authentication, the post assertion will sent the user information as a Kerberos token which then passed to Citrix StoreFront. As the Citrix don't support Kerberos it simply presents you with a StoreFront logon page and ask you to logon again. Basically we have to login twice to launch an application or desktop. Citrix Workaround: Enable SAML on StoreFront Create a new external SP connector to StoreFront SAML Enable Citrix FAS Enable Active Directory CA Deploy FAS AD GPO We can avoid the above design change if we could get the below access policy work: Start --> Internet Users --> F5 APM External Logon page --> Enter Username & Password --> Capture the Username & Password to a variable --> Input that to right SAML attributes of SAML external IDP connector --> auto feed the username & password to the SAML flow --> on successful SAML authentication --> pass on the username & password from the logon page for the SSO credentials to the StoreFront for SSO We are not able to figure out a way to capture the username & password from the logon page and pass it to SAML authentication flow. Any help & guidance in this regards is greatly appreciated.19Views0likes0CommentsSAML artifact server - using redirect not post
Hi had a working setup. login.test.com -> SAML IDP Auth.test.com -> OAuth server + SAML SP - to get a OAuth token you needed a SAML ID this worked well until I realised some of the redirects where actually posts and you needed a function javascript engine to process them ! I went about changing the ARS on the IDP to redirect with authentication and setup a ACS to talk to it so login -> SAML IDP + SAML ARS (artifact server) auth -> OAuth + SAML SP + SAML ACS (artifact comsumer service .. basically - my understanding it make an out of band call to login - so it doesn't go via the browser) all working good except for the ACS -> ARS call. I can see the request making it to login, I have an irule to capture the post but the VS is terminating the link tcp rst. No logging in APM or LTM logs I have debug turned on for access profile and SSO doesn't help. Any one got it working ? Any one got any ideas on how to debug the next step1.2KViews0likes8CommentsF5 SSO - OAuth with SAML - how to preserve the original protect URL
Hi So I have login -> This is my login server - I have APM protecting it auth -> this is my oauth server it talks to login to get login its a saml call Lets say I have https://uat/<some protected URL>, that I use a OAuth claim to protect it. So when i go to https://uat/<some protected URL> I get redirect to /my.policy then redirect to auth/oauth url redirect to auth/my.policy redirect to login/saml end point redirect to /my.policy redirect to /my.policy the login process redirect to auth/sam return end point redirect to https://uat/Oauth return point redirect back to https://uat/<some protected URL> When it works its okay, but what happens with a bad password or if a user takes to long to login and has to start a new login session any break from normal means that user ends up on https://login/ I have noticed on other SSO work flows - the originating url is in the url passed around - that doesn't happen on F5 I checked the landing on the inital entry to https://auth and the browser doesn't even send the referrer url ... How do poeple cope with this. Note my apm session are on different F5, so I can't share behind the scene variables !1.3KViews0likes7Comments