Forum Discussion

cmp19's avatar
cmp19
Icon for Nimbostratus rankNimbostratus
Sep 11, 2019

F5 SAML IdP with Okta User Facing

Currently have F5 APM set up as a SAML IdP for ~10 SaaS providers. We also have an Okta environment set up with it's own SAML connections to other SaaS providers.

 

We would like to start sending users 100% through Okta but do not want to migrate the current F5 IdP connections to Okta for reasons too long to describe here. Has anyone ever had users authenticate into Okta and at the same time be given access to all the SAML resources on the F5? If I made the F5 an SP for Okta, could I assign the existing F5 SAML resources and allow the user through? I don't believe this would work but am unable to think of other ways to achieve this.

 

Any thoughts would be appreciated.

3 Replies

  • Hello, in this use case is OKTA also an IdP? If so I would think you could deploy this using IdP chaining. From the APM Operations Guide:

     

    https://support.f5.com/csp/article/K08200035

     

    "When you use SAML inline SSO, when BIG-IP APM receives an SP authentication request, it generates a SAML assertion on-the-fly to automatically sign in the user. The BIG-IP APM IdP is chained so that it accepts an assertion from another SAML IdP to create the session. The system constructs session data using the same method."

     

    And some example configurations:

     

    https://devcentral.f5.com/s/articles/apm-cookbook-saml-idp-chaining

     

    https://www.youtube.com/watch?v=HiGbzDyNnw4

    • cmp19's avatar
      cmp19
      Icon for Nimbostratus rankNimbostratus

      Thanks for the response Dave,

       

      If I'm understanding the example you linked, the end user would first connect to F5 which would then relay the authentication request to the IdP (in my case Okta) which would then reply with a "yes" to F5 which would then allow them into the resource they want. In my use case I would like a user to first connect to Okta who would then press a resource button (Salesforce, for example) which would use F5 to gain access to it's pre-existing SAML resources.

       

      Okta has released a guide to run Okta as IDP and F5 as SP to access web resources behind the F5, however these resources are not SAML so I don't believe it would work the same way.

      https://support.okta.com/help/s/article/Okta-Integration-Guide-for-Web-Access-Management-with-F5-BIG-IP#configuringokta

      • Dave_W's avatar
        Dave_W
        Icon for Employee rankEmployee

        Hello, if I am following your environment correctly I think it would be like this, User>>OKTA as IdP>>APM as IdP>>Service. Hence the term IdP chaining.