Forum Discussion

test_jampes_144's avatar
test_jampes_144
Icon for Nimbostratus rankNimbostratus
Feb 14, 2014

APM Kerberos and SAML

In few week, we have web application to install. Some client are XP and other Seven as described under. The client with seven are installed and attach to a domain Active directory (token kerberos). I would configure the APM to catch the token kerberos, create a saml token with the identidy and other attribute, post this saml assertion to my web application (alfresco, ibm connexion, ibm notes) The client XP are using a web portal hosted by APM. This web portal connect to LDAP for authentication (active directory). APM create a saml token with the identidy,post this saml assertion to my web application (alfresco, ibm connexion, ibm notes).

 

It is a good design ? And where it's wrong ?

 

Thanks.

 

APM
availability
cloud
design
security
TMOS

3 Replies

Sort By
  • JoshBecigneul's avatar
    JoshBecigneul
    Icon for MVP rankMVP
    Feb 15, 2014

    Based on what you described, this actually sounds like a fairly decent setup.

     

    You would be able to fine tune the policy for each to suit the target operating system. I'd suggest using a Client OS check to try and determine whether a client needs to supply Kerberos credentials (this can be configured to fall back to basic authentication) when running Win7, or go straight to a logon page. You could send Mac and mobile clients to the logon page as well using the conditionals on the branch.

     

  • test_jampes_144's avatar
    test_jampes_144
    Icon for Nimbostratus rankNimbostratus
    Feb 16, 2014

    Great. In this case, the applications are configure to support kerberos credentials or it is not necessary ? The APM relay, convert in the protocol configure in the application. In other word, a convertion kerberos credential/saml by APM will be good if is possible

     

  • JoshBecigneul's avatar
    JoshBecigneul
    Icon for MVP rankMVP
    Feb 16, 2014

    Apps protected by this APM instance could be using kerberos, but as you said, they are using SAML. The protocols in use on each side of the f5 do not have to be the same.