We have an application that is saml SP aware using keycloak and I have configured the SP directly to okta IDP and that works like a charm.
Having said that, we also have the F5 apm module that we want in the mix acting like a SP proxy of sorts? but I am having trouble visualizing how that would work? I have some questions around having multiples SP (basically f5 apm acting as a SP and the end point app as well) and single IDP (okta) and how to pass SAML along.
I have attached a picture of what we are trying to do and I have the following questions:
a) First is the possible to do for both IDP initiated and SP initiated flows?
b) Can the first SP f5 apm in this case, pass along or proxy the saml context info down to the second SP? I know this may be a question for f5 directly, but doesn’t hurt to ask here as well.
c) If I configure the end point application SP and IDP back to okta, where would okta send the acs request in response? Back to F5 APM module or back to app, would that mean we need 2 okta applications?
d) Since f5 APM will ALWAYS be the front door does the application even need to have the IDP configured because that would have been taken care of by the f5 apm SP module?
I still question the need for the whole APM module in this particular use case, since our app is SAML aware already. I understand when there is a need for apps that are not saml aware and APM is used to extract saml attributes and inject them for example into headers that apps downstream understand etc…
Anyways, any help around this would be greatly appreciated.
