F5 APM as IDP using Custom Page

Does the partner side act as SAML SP? If so, you can create federation relationship between APM as IDP and Partner site as SP and assign that SAML resources as the SSO config to your access policy. This way, as the user goes to partner site, it would ask for an assertion from the same virtual as the application VS protected by APM and it would get a seamless assertion back and signed into the partner application.

Partner acts as an SAML SP, We can set up the federation between the two. How to address the Authentication. Using APM as IDP can you please suggest/steps on how to configure authentication in this case? Do I need to modify my existing application?

Thanks

Are you using APM to authenticate the user before they get to the protected part of the application today? It would be ideal if you did, because because if you want to allow unauthenticated access in addition to authenticated access, the config would be a bit more complex. The good news is that no changes to the application are necessary regardless of the scenario - all work is done on the BIG-IP. I would first suggest trying to build a successful standalone configuration where BIG-IP is the IDP and partner is SP and get that part working - once that works, it would be easier to take it and integrate with the overall bigger scenario - divide and conquer approach is usually the most effective one. You can also consider employing F5 or one of F5-authorized partners services to help you with this.

The application is unprotected and can be accessed by anyone. If users want to get access to protected resource they will have to enter credentials first and get authenticated before seeing any other protected resource.

I was hoping to do following: 1) Use http form based authentication to point to our existing landing page. 2) After user credentials are verified we sent back a parameter valuee back to APM signifying user is authenticated (will have to modify our existing app to achieve this) 3) Redirect from APM to protected resource pages. 4) Users click on Partner Link 5) Redirect to SP via APM 6) SP consumes the assertion and grants access

Let me know if the above steps will work?

Thanks

See if this workable

On APM create access policy on VPE:
1) Create IdP SSO resource 
2) Bind this to SP connector 
3) Create new access policy and attach the IdP SSO resource created
4) Configure Access policy with 'External Logon Agent'  to capture the credentials
5) Use HTTP AAA agent to do form based authentication
6) Redirect to Landing page

See if this workable

On APM create access policy on VPE:
1) Create IdP SSO resource 
2) Bind this to SP connector 
3) Create new access policy and attach the IdP SSO resource created
4) Configure Access policy with 'External Logon Agent'  to capture the credentials
5) Use HTTP AAA agent to do form based authentication
6) Redirect to Landing page

Thanks Kunjan,

I will give this a try and let you know.