Is it good to use Keycloak with F5 BIG-IP APM and Jira SAML SSO Plugin together?

In order to use IdM(LDAP), SSO and MFA for Jira application, we are comparing the solution with these services as title.

If use F5 BIG-IP APM connect IdM(LDAP), is it also good to use its IdP solution as Using APM as a SAML IdP SSO portal? Since there is an example for connecting AWS: Configuration Example: BIG-IP APM as SAML IdP for Amazon Web Services.

Another way, use F5 APM with Keycloak(as SSO and MFA solution), is it possible? The problem maybe if use Keycloak with LDAP(FreeIPA), need to do the user onboard again. But with a SAMP plugin for Jira will authenticate IdM and provide SSO/MFA features.

So which usage is the best for these requirements?

I believe you ask for two things in a single request: You look for general advice designing your solution, and also for a proof if this has been done / if f5 and keycloak inter operate nicely.

I’ll concentrate on the first as I cannot deliver the second :slight_smile:

I understand that you say there’s an ldap containing user identities (including passwords), there’s an application (Jira, may be more as you ask for sSo), and you have f5 (I would guess you run Jira on your own server, f5 is secure Reverse proxy for your users accessing it from abroad) and you now want SSO (aka SAML+OIDC) and MFA (for instance TOTP).

Correct?

Since f5 is capable of doing a lot, in this discussion we only look at its IDP role.

Let’s see the building blocks:
An IDP (keycloak, f5) can usually leverage an existing user base so yes you can feed keycloak from your ldap (as you can do with f5). There should be no user enrollment (aka password reset) be required.

Through the OIDC and SAML Standards both supported by keycloak (and f5) and Jira, you can let the IDP authenticate users and have Jira trust this.
Jira has several options including options to have its own user base mixed with one or more IDPs (via Plugin) - I just mention this since you may have employees and external (guest users) in Jira but not in the same ldap).

Finally yes keycloak allows you to add MFA and it delivers TOTP out of the box and can plug in more options. I believe f5 can do so as well.

If we are still on the same page, you are now closer to a picture where you can compare cost and features. And to make it even more flexible, through federation you can connect f5 and keycloak which stays transparent for the users.

So if all relevant modules are already licensed from f5 and your corporate strategy is that, I would think that you need to validate f5. If you look for an independent, open source solution that you can even modify and extend (or have to) then go for keycloak.

You’ll feel the differences when you test-build the two scenarios next to each other

Thank you very much for your very detailed answer.
You imagined right. That’s what we want to try in our environment.

Your introduction was very clear for both 2 different solutions. We can use F5 or Keycloak as SSO/MFA provider, just under testing stage now.

It seems F5 APM is simple for this case. Without consider price.

I also found https://idp.miniorange.com/, how do you think about it?

Hi @rawmain, let’s not speculate - i don’t know them.
I try to give you a different recommendation:
First, IDPs are highly standardized. So the value of an IDP (or their differentiation) is normally not in the protocols they support - all relevant do SAML, OIDC. The relevance comes in the effort to connect applications (in case you use more and more cloud services, for instance) - so you want an IDP that is well documented, has a great community, lots of examples and may be a list of “done” integrations.
If that is relevant, have a look at OKTA, and don’t ignore Microsoft. These both put effort in building an ecosystem where adding another app is supposed to be a few mouse clicks, and at Okta you don’t even need to know what OIDC or SAML do.
Keycloak and its silbling RedHat SSO have a great community and the open source piece allows you to add missing pieces and customize anything - for instance the login page and background (which microsoft cannot do for instance to that level, while okta can).

Again - read carefully - i made an assumption and provided some advice for my own assumption.

Stick with the big ones (F5 as you have it, Keycloak, the ones i mentioned above) and if you want to compare look for comparisons and may be even a gartner report (may be too high level).

Hi @vju42. Thank you very much for your answer again.

I just found how mini orange idp different from famous IdP

https://idp.miniorange.com/how-we-are-different/

Sure we are checking different solutions. After comparing them, will choose a good one.