Forum Discussion
You F5 acting as the SAML Service Provider (SP) should not be doing direct authentication, that is the job of the Identity Provider (IdP). By its design the SAML SP is not allowed to pass credentials directly to the SAML IdP so to preserve the security of the SAML protocol.
The F5 acting as a SAML SP should redirect the authentication request to the SAML IdP, which the user provided credentials and in your case a second factor authentication and gets a SAML token returned (if successful). The user is then redirected back to the F5 and the token is provided which is validated and access can be provided to the resource which out the F5 ever seeing the users full credentials.
Recommend the following links to learn a little more about this setup:
-
F5 Cloud Docs: Lab 1: SAML Service Provider (SP) Lab
-
Manual Chapter: Using APM as a SAML Service Provider
Following the initial setup if you need Single Sign-On (SSO) for back-end resources you can configure credentials passed from your SAML IdP securely if they support this.
I have been in companies that do not allow this due to internal security policy which made it difficult.