How best to achieve SSO between APM policies of different types (portal and ltm+apm)?
We provide external access to a number of internal resources via APM in BIGIP (11.6.0). Some of these resources can only be presented to external users via webtop-based portal access whilst others only require authentication and load-balancing (ltm+apm).
We would like users to be able to switch between these resources without having to re-authenticate. I have read some discussions about providing SSO between different APM policies using Domain Cookies and also seen suggestions that involve using SAML.
I would prefer to use SAML if possible, as access to some resources is (AD) group dependent and by passing group membership attributes within a SAML assertion, it would presumably allow us to apply specific rules for webtop portal resources.
What I would like to know is whether this is possible. Can APM act as both SP and IdP, so that APM secured resources defined as Service Providers redirect users to an APM hosted IdP service which in turn performs authentication and sends an assertion back to the original calling policy?
If it is possible, could someone point me to a KB article or outline briefly, at a high-level, the workflow required to achieve this? If I am over-complicating the solution I am happy to consider any alternatives.
Many Thanks,
Barny