APM + SSO questions about server side authentication
I have a good amount of experience working with the F5 as a SAML SP using a 3rd party external IdP and then using kerberos for server side SSO.
I have a question though about other options. Since I am using an external IdP I can't use NTLM or BASIC for SSO as they require a username AND password and I don't have the password as all I receive from the IdP is the username. Which is why, in the past, I've been using Kerberos - b/c with constrained delegation setup I can query the servers with a service account and get a token for the user in question. With that said, I have some applications that don't support Kerberos so I'm trying to figure out what SSO options I have. I see that SAML is listed in the SSO section but I'm not entirely certain how it works and can't find any good documentation. Is it possible for the F5 to function as a SAML SP, to receive assertion information from the external IdP and then to send that username to an application using SAML (as the SSO method)?
I think that the only other option would be "forms based" if I could get the application owners to write a web page that has a form that simply requires a username. But maybe I'm wrong on that.
In the end all I'm trying to figure out is what are my SSO options if all I have is a username? I know Kerberos is an option, but are there other options?
Thanks!