We have Big IP setup as a SAML SP. We also have VMware View that's load balanced behind F5. We're looking to integrate SAML authentication with VMware View instead of having View authenticate directly against F5/LDAP. Does anyone have experience with this? We've found documentation on how to setup View on Big IP via an iapp and/or a webtop. However, all that documentation hinges on setting up a local login page on F5 that authenticates directly against AD/LDAP. We haven't been able to find anything that would allow SAML to do the authentication, pass the userID into F5/View to then query AD for authorization rights. We're ok if F5/View need to bind to AD via a service account to query for user access groups. However, we'd like the authentication attempts to 100% go through SAML. Any pointers would be greatly appreciated.
Could you clarify the use-case:
Native View Client does not support SAML in normal sense, only web browser case makes sense here.
VMware View relies on SAML IDP to pass uVMware-specific attributes in SAML assertion (such as encrypted password) - otherwise VMware View is unable to SSO user into the desktop (user sees Windows logon dialog and has to type their credentials). The only SAML IDP that supports this is the VMware's Horizon Workspace. Were you thinking of using Horizon Workspace as IDP? If not, will the lack of SSO be acceptable?
We are primarily looking for a way to authenticate the HTML5 web browser client. We do not have Horizon Workspace and were intending to use Shibboleth or CA Siteminder Federation to act as the SAML IDP. ADFS is also an option for us. Are you familiar with any of these SAML IDP products and if there is a way to get them to work with Big IP as a SAML SP?
I did also hear that this may be possible to accomplish via Kerberos. Process would be F5 redirects the user to Shibboleth SAML IDP to auth, then passing the userID from SAML into Kerberos within F5 and then using an SSO Credential Map. However, the documentation I found seems to want to still pass the user password from an F5 login page (step 4.4. https://devcentral.f5.com/articles/apm-cookbook-single-sign-on-sso-using-kerberos)) so I'm not sure if this will truly work as I'm still redirecting to an External IDP for login. Thus F5 never gets the password
We do support integration with 3rd party SAML IDP providers for web-based services such as SharePoint. Usually Kerberos Constrained Delegation is used to authenticate to the backend behind F5 APM. We also support the use-case where F5 APM acts as a SAML SP for external users and as a SAML IDP for backend services.
Having said that, VMware View is not a web technology, and these scenarios are not currently supported by us. I'd highly encourage you to file a Case with F5 so we can properly capture requirements, as we were thinking about this use-case with VMware View but have not heard any real requests for it.
P.S. Please keep in mind that VMware View does not support SSO into View Desktop unless SAML assertion contains encrypted password, which is currently only supported by VMware's Horizon Workspace. Thus SSO will not work with Shibboleth or Siteminder. This is a VMware limitation and has nothing to do with F5.