Forum Discussion

Karthik_Krishn1's avatar
Karthik_Krishn1
Icon for Cirrostratus rankCirrostratus
Mar 15, 2016
Solved

APM and certificate based AD authentication

Hello,   We are looking to authenticate users into their domain joined PC's using certificate based services (Smartcard's). Due to the way it is going to implemented, users will not get a prompt t...
BIG-IP Access Policy Manager (APM)
security
  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Mar 15, 2016

    In other words: APM doesn't have the user's password. The normal solutions to this are:

     

    1. Use Kerberos SSO with a delegation account. This is easy an long as your web server is IIS.
    2. Use SAML.

    Sometimes people come up with other solutions. Because APM has access to irules, you can basically implement anything that is technically possible, with the important exception of passing the client's certificate through to the backend app. We don't support doing that.

     

    I'd recommend consulting your app vendor to get their preferred SSO delegation technique.

     

Lucas_Thompson_'s avatar
Lucas_Thompson_
Historic F5 Account
Mar 15, 2016

In other words: APM doesn't have the user's password. The normal solutions to this are:

 

  1. Use Kerberos SSO with a delegation account. This is easy an long as your web server is IIS.
  2. Use SAML.

Sometimes people come up with other solutions. Because APM has access to irules, you can basically implement anything that is technically possible, with the important exception of passing the client's certificate through to the backend app. We don't support doing that.

 

I'd recommend consulting your app vendor to get their preferred SSO delegation technique.

 

  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Mar 15, 2016
    A third option would be to amend application to trust the user identity being passed to it via HTTP header and restrict traffic to application to only come from APM - that way you can adapt an application to SSO behavior.