Multi-factor authentication with two IdPs

Kevin Foote kpfoote at
Fri Aug 28 14:57:10 EDT 2015

> On Aug 28, 2015, at 11:22 AM, Dan Ciarniello <DCiarniello at> wrote:
>> -----Original Message-----
>> From: Cantor, Scott [mailto:cantor.2 at]
>> Sent: Thursday, August 27, 2015 1:58 PM
>> To: Shib Users
>> Subject: Re: Multi-factor authentication with two IdPs
>> On 8/27/15, 4:29 PM, "users on behalf of Dan Ciarniello" <users-
>> bounces at on behalf of DCiarniello at> wrote:
>>> The current setup is, I believe, fairly standard with a service provider behind
>> a reverse proxy (an F5) with an ADFS system providing SSO services.
>>> As I understand it, the basic workflow is:
>>> 1. F5 redirects user to ADFS for login
>>> 2. ADFS returns SAML response to the F5 with various “claims” including a
>> user id
>>> 3. F5 then forwards the SAML response to the service provider
>> Unless the F5 is the SP itself, I'm not sure it's relevant to the conversation.
> In this case the F5 does act as an SP but I don't have the ability to do any customization there that would help solve my problem.

I wouldn’t think you have any control of that either. Additionally I don’t believe step 3 is correct. If the F5 is the SP it is consuming the assertion itself.  

I believe what is happening in the OPs flow description is very similar to the Juniper SSL VPN thread[1][2] of years ago but with F5 hardware / software, (APM formerly FirePass).  



More information about the users mailing list