APM in clientless mode, support for SAML

Question

Hello,
I am looking for a solution to have SAML support in clientless mode.
The fact is that my client application does not support any redirect. When the client connects to the SAML SP, no redirect to the SAML idp is possible.
Does anyone knows how to solve this problem?
Does anyone knows if SAML is supported in APM clientless mode?
Thierry&nbsp;

gabriel_v_13146 · Answer

Hi,&nbsp;
maybe this link can be contain useful information for you about the clientless SAML authentication. It is not directly supported, so a little workaround is needed. &nbsp;
https://devcentral.f5.com/questions/clientless-sso&nbsp;
G.&nbsp;

steirtet · Answer

Hi,&nbsp;
Thanks for the answer, but this iRule retrieves the username/password without using SAML.
The problem with SAML is that is using redirects between the SAML SP and the SAML IdP.
In this case, redirects are not supported and not allowed.
The problem remains, how to solve this via an iRule? &nbsp;
Thierry&nbsp;

gabriel_v_13146 · Answer

Hi,

there are several SAML profiles (options how to use the SAML messages). F5 supports the WebSSO profile - thus redirect/post SAML messages between SP and IdP.  So it's not really clientless.

I don't know if it helps, but just an idea - 
If your SP can consume a SAML assertion, you could use 'IdP-initiated' SSO, so you can let F5 send the LoginResponse directly without any request.  That can be done setting up a webtop with SAML connectors. In that case the APM will expose links (I don't recall exact url, see the links which are bound to the webtop links) sending a SAML response to the SP. And as a login action your application just sends user to the exposed IdP link.

Have fun
         Gabriel

gabriel_v_13146 · Answer

If you really must be clientless - maybe the link provided is what you need.. Your application could send a SAML Soap message with username and password (or other credentials) and you will need to update the provided irule to dig the data from XML instead of a simple post..

kevin_stewart · Answer

This would be difficult to achieve in the absence of redirects, if for no other reason than the SAML web sso passive protocol actually defines this as a requirement. The client must contact the IdP to authenticate. You could use SAML artifact mode to actually retrieve the assertion, but the client still needs to communicate with both parties. An alternative approach might be to have an iRule in front of the SP (a layered LTM VIP) actually perform the IdP logon request on behalf of the user (via sideband communication). The iRule would look something like this:&nbsp;
Collect credentials from initial user request.Catch the SP's SAMLRequest response message and forward it to APM IdP (also in clientless-mode). Send the user's credentials as HTTP headers.At the IdP, an iRule would collect the credential headers and insert these into the access policy for authentication. The IdP would then respond to the sideband request with an assertion message (actually a redirect with the SAMLResponse POST encoded within).The LTM iRule would collect this, extract the SAMLResponse and then forward it to the SP VIP.
The above assumes APM IdP and SP, but you could use other varieties and customize the sideband messaging accordingly. Are the IdP and SP both APM in your case?&nbsp;

Forum Discussion

APM in clientless mode, support for SAML

6 Replies

Recent Discussions

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

APM Clientless certificate authentication

F5 TCP Proxy mode

Integrating SSL Orchestrator with CheckPoint Firewall VM-Bridge Mode (L2)

One-Arm Mode Migration

Vpn Always connected mode