This would be difficult to achieve in the absence of redirects, if for no other reason than the SAML web sso passive protocol actually defines this as a requirement. The client must contact the IdP to authenticate. You could use SAML artifact mode to actually retrieve the assertion, but the client still needs to communicate with both parties. An alternative approach might be to have an iRule in front of the SP (a layered LTM VIP) actually perform the IdP logon request on behalf of the user (via sideband communication). The iRule would look something like this:
- Collect credentials from initial user request.
- Catch the SP's SAMLRequest response message and forward it to APM IdP (also in clientless-mode). Send the user's credentials as HTTP headers.
- At the IdP, an iRule would collect the credential headers and insert these into the access policy for authentication. The IdP would then respond to the sideband request with an assertion message (actually a redirect with the SAMLResponse POST encoded within).
- The LTM iRule would collect this, extract the SAMLResponse and then forward it to the SP VIP.
The above assumes APM IdP and SP, but you could use other varieties and customize the sideband messaging accordingly. Are the IdP and SP both APM in your case?