Use this guide to enable Multi-Factor Authentication to F5 BIG-IP, and to encode the user password in Base64 and include it in the SAML response to enable F5 BIG-IP to decode it for SSO use in backend resources.


1. Have a SecureAuth IdP and F5 BIG-IP SP-initiated SAML partnership established – refer to F5 BIG-IP (SP-initiated) Integration Guide (SAML)

2. Have a F5 BIG-IP SAML Authentication Server up and running

3. Download the file and extract the files in the SecureAuth IdP realm's Customized folder – D:\SecureAuth\SecureAuth[Realm#]\Customized\

NOTE: This realm is the one that has the Service Provider-initiated SAML partnership with F5 BIG-IP configured and enabled

4. Create a New Realm for the F5 BIG-IP integration in the SecureAuth IdP Web Admin

5. Configure the following tabs in the Web Admin before configuring the Post Authentication tab:

  • Overview – the description of the realm and SMTP connections must be defined
  • Data – an enterprise directory must be integrated with SecureAuth IdP
  • Workflow – the way in which users will access this application must be defined
  • Multi-Factor Methods – the Multi-Factor Authentication methods that will be used to access this page (if any) must be defined
SecureAuth IdP Configuration Steps
Custom Identity Consumer


1. In the Custom Identity Consumer section, select Custom from the Token Data Type (Send) dropdown

2. Select Password from the Custom Token Fields dropdown

3. Click the >> button to have {Password} auto-populate in the open field

Click Save once the configuration has been completed and before leaving the Workflow page to avoid losing changes 

Post Authentication
Post Authentication


4. In the Post Authentication section, select Use Custom Redirect from the Authenticated User Redirect dropdown

5. Set the Redirect To field to Customized/SAML20SPInitPost.aspx

User ID Mapping


6. Select Authenticated User ID from the User ID Mapping dropdown (default)

7. Select True from the Encode to Base64 dropdown

SAML Assertion / WS Federation


8. Set the WSFed / SAML Issuer to a UniqueName that is shared with F5 BIG-IP

This value must match exactly on the F5 BIG-IP side and on the SecureAuth IdP side

9. Provide the SP Start URL to enable SSO and to redirect users appropriately to access F5 BIG-IP Virtual Server (or VIP) URL

10. Set the SAML Offset Minutes to compensate for differences in the time set on the devices

11. Set the SAML Valid Hours to limit the length of time for which the SAML assertion is valid

12. Select the certificate to be used to sign the SAML assertion, which is the same certificate that will be uploaded to the F5 BIG-IP SAML Authentication Server

13. Export this certificate in Base64 format, and store it either on a local PC or on the F5 appliance

Click Save once the configuration has been completed and before leaving the Post Authentication page to avoid losing changes 

F5 BIG-IP Configuration Steps
Create an SSO Configuration


1. Log on to the F5 Management Console and navigate to Access

2. Select Single Sign-On and NTLMV2


3. Create a new NTLMV2 SSO Configuration that has the same settings shown in the image – these variables will be used in the iRules section, defined later

4. Set the NTLM Domain name to the NetBIOS name of the domain to be used for authentication

Create a New Access Profile / Policy


5. Create a new Access Profile from the Profiles / Policies menu


6. In the SSO / Auth Domains section, select the SSO Configuration created in step 3

Edit the Profile's Access Policy


7. Click Access Policy and edit the access policy in the Visual Policy Editor (VPE)

NOTE: The SAML Auth box represents the existing SAML SP-initiated settings of F5 BIG-IP which is a prerequisite and can be configured using the instructions in F5 BIG-IP (SP-initiated) Integration Guide (SAML)


8. Add an iRule event and set the ID to decode_saml_password


9. Ensure the SSO Credential Mapping matches the custom variable values as shown in this image


10. Add a Variable Assign entry on the VPE and set this variable so that the username appears correctly in the logs

Create an iRule


11. Click Local Traffic and then iRules

12. Copy and paste this iRule (see code block below) in the New iRule editor window

  if { [ACCESS::policy agent_id] eq "decode_saml_password" } {
    set saml_password [ACCESS::session data get]
    set decoded_saml_password [b64decode $saml_password]
    ACCESS::session data set -secure session.custom.decoded_saml_password $decoded_saml_password
    ACCESS::session data set session.custom.saml_username [ACCESS::session data get session.saml.last.nameIDValue]
    ACCESS::session data set session.logon.last.username [ACCESS::session data get session.saml.last.nameIDValue]
Add the Access Policy and iRule to the F5 Virtual IP


13. Add the Access Policy to the F5 Virtual IP


14. Add the iRule to the F5 Virtual IP

Test the Configuration Settings

Test the configuration by trying to log in to the F5 VIP URL