Multiple F5 IdPs on One Access Profile w/IdP and SP-Initiated Logon
Here is my scenario:
I have multiple external SAML services that we need the F5s to function as an IdP for. The F5s need to support both IdP and SP initiated authentication to all of the external SAML services.
I've tried following the guide https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-2/29.html, but I'm not having any luck so far.
The only way I have been able to support IdP and SP initiated authentication to multiple servers is to associate each IdP's Entity ID to a unique hostname (ex. saml-salesforce.company.com/samlidp/salesforce, saml-webex.company.com/samlidp/webex) and then modify the access profile SSO configuration to multi-domain, associating each hostname with the corresponding SSO Config:
Is there a better/cleaner way to do this?
I've tried setting all the Entity IDs to the same hostname (ex. saml.company.com/samlidp/salesforce, saml.company.com/samlidp/webex), and changing the access profile domain mode to single domain. Every time I do, SP Initiated SSO fails for any configuration not selected under "SSO Configuration". If I select "None", all SP Initiated SSO fails.
Please let me know if you have any input, or if you have any further questions that I can answer.