NimbostratusI have a request to create an APM policy.
The server (SAP) does only support SAML, but management wants OIDC against Azure to get full conditional access.
Is there any way to set up Azure OIDC on F5 APM and translate that to SAML to send to the server?
Client -> F5 APM -> AzureAD (OIDC) -> F5 APM -> Server (SAML)
MVPin principle i would say yes. as shown here APM can auth to AzureAD with openid
https://clouddocs.f5.com/training/community/iam/html/class6/lab4.html
for SAML you just configure you BIG-IP as IdP and use the above part as the IdP auth.
NimbostratusSounds good, but how does the token translate from oAuth 2.0 to SAML, is there some magic F5 does for that?
MVPyou dont exactly translate something. you authenticate against Azure AD and if that is successfully your SAML assertion is provided.
NimbostratusOk, so I bind the oAuth server to the LocalSP?
MVPyou use the oAuth server in the IdP config visual policy editor.
NimbostratusThank you for the response, I now understand I need to set up the oAuth server in the visual policy editor, but to create the IdP config, do I still need to set up SAML on Azure and force the user through both SAML and oAuth through Azure?
Or do I just need the local SP and not any binding or connectors to that? And then use the visual policy editor to force through oAuth, what will then be sent to the application, will it understand it as normal SAML when I set up the XML file there?
MVPSAP is your SP, BIG-IP is your IdP
Azure oAuth is used to do the auth part of the IdP, when that is successfully SAP will be logged in.