At the moment I have a web server (Service Provider) and a Windows ADFS server (Identity Provider) which allows users on the main network to visit. (Work PC > Webserver > IdP > Webserver > now authenticated)
I am now trying to set this up so users can access the web server remotely by using the F5 APM module. One option is that I set the F5 up as an IdP and connect to the SP. However, the web server is a SaaS and cannot be easy changed. For example I cannot change the SP to accept tokens from the F5.
So my question is, can I somehow get the F5 to use the Windows ADFS server to assert the tokens on it's behalf. And how can I do this.
Thanks for your time.
After days of researching and after posting this question. I have no found https://support.f5.com/kb/en-us/solutions/public/17000/000/sol17041.html which looks like it will solve the problem. Can anyone possibly confirm?
figure 3.) would be suitable, if you want to make your internal AD FS securely accessible over the internet (aka. using APM PreAuth with credential delegation).
But additional steps may be required to make your SaaS application accessible over the internet, too (aka. using the same APM PreAuth but without credential delegation).
The combination of both would create a strong protection for both services and would allow the SaaS application to still use AD FS as a authentication provider.
I am planning to configure same (ADFS as iDP and F5 APM as SP).
I couldn't find any documentation and help on it wonder someone can guide me.
I have APM Policy as
Start -> SAML Auth -> SSO Credentail Mapping -> Allow
I imported XML file into External Idp Connectors under SAML-> BIG IP as SP
Local SP Services configured as following
Entity ID: https://login.example.com
SP Name Settings:
Assertion Consumer SErvice Binding: POST
Checked "Authentication Request" (certificate and Keys are selected different than ADFS)
Checked: Want Signed Assertion
Unchecked: Want Encrypted Assertion
Unchecked: Force Authentication
Checked: Allow Name-Identifier Creation
Name-Identifier Policy Format:
SP Name-Identifier Qualifier: None
I am getting following error:
/frontend/F5-SP:frontend:dbad7144: Executed agent '/frontend/F5-SP_act_saml_auth_ag', return value 3
/frontend/F5-SP:frontend:dbad7144: Session variable 'saml./frontend/F5-SP_act_saml_auth_ag.SAMLRequest' set to 'hhhhhhhhhhhhXXXXXX'
/frontend/F5-SP:frontend:dbad7144: SAML Agent: /frontend/F5-SP_act_saml_auth_ag SAML assertion is invalid, error: Assertion status is not successful
/frontend/F5-SP:frontend:dbad7144: Executed agent '/frontend/F5-SP_act_saml_auth_ag', return value 0
/frontend/F5-SP:frontend:dbad7144: Following rule 'fallback' from item 'SAML Auth' to ending 'Deny'
I'm also trying to implement similar configurations. We host SaaS application for our clients. So we would like to have APM as SP which will communicate with client's IDP (could be anything).