F5 Access Policy Manager (APM)

APM is the access control module for F5 BIG-IP. It brokers sign-in to web, legacy, and VPN-published applications; can act as a SAML Service Provider or Identity Provider; integrates with external IdPs as an OIDC/OAuth client; and can run as an OAuth 2.0 authorization server for first-party apps and APIs. It also supports Kerberos SSO to backend apps and “identity-aware proxy” patterns for Zero Trust.

Key Capabilities

  • Standards-based federation & tokens: SAML 2.0 (IdP/SP), OAuth 2.0 & OpenID Connect (client/resource server/authorization server). Discovery/JWKs are supported when integrating with external OIDC providers.

  • Zero Trust & IAP patterns: Per-request access enforcement and identity-aware proxying across on-prem and cloud apps; aligns with ZTNA use cases.

  • Kerberos SSO to legacy apps: Constrained delegation to publish Kerberos/NTLM apps behind modern SSO (often paired with Microsoft Entra “Secure Hybrid Access”).

  • Web/VPN access: Portal/Webtop SSO for browser and thick clients; remote network access with BIG-IP APM VPN features.

Limitations

  • Self-hosted appliance model: APM is deployed on BIG-IP (hardware/VE) and operated by the customer; you manage upgrades, HA, certificates, and policy design.

  • Not an IGA/provisioning system: APM handles access and federation; it does not provide SCIM-based identity governance or user lifecycle services.

  • Complexity for legacy SSO: Kerberos SSO and portal-based replay patterns can require AD delegation, agentless SSO objects, and careful policy construction.

  • Feature mapping by version: OAuth/OIDC/SAML features and guided configs vary by BIG-IP/APM version.

Customer Identity, Simplified.

No Complexity. No Limits.
Thousands of businesses trust LoginRadius for reliable customer identity. Easy to integrate, effortless to scale.

See how simple identity management can be. Start today!
Free Trial
Contact Sales