Enable SAML Service Provider on F5 Distributed Cloud Application

SAML is a federation protocol used to authenticate users.

F5 Distributed Cloud does not yet offer such a solution natively, but thanks to F5 portfolio, it is easy to deploy NGINX in F5 XC and enable SAML as Service Provider.

To do so, we need:

  • A F5 Distributed Cloud tenant
  • A F5 Distributed Cloud vk8s
  • A NGINX Plus subscription (license)
  • The NGINX Plus SAML module : https://github.com/nginxinc/nginx-saml
  • An SAML IDP - in our demo, we will use the Corporate F5 Azure AD


This is the architecture




Create the NGINX Plus docker image

In order to run NGINX Plus in vK8S, NGINX Plus needs to be built as Unprivileged. The NGINX daemon requires it to run as root, but this is not allowed in vK8S.

You can find the GitHub repo with the Dockerfile and steps here : https://github.com/f5devcentral/nginx-unprivileged-f5xc

When the image is created, upload it to a PRIVATE repository. NGINX Plus is not free, so don't push the image into a public repo. In our demo, we will use Azure Container Registry (ACR).


First of all, create a vK8S in your Namespace. Then create a F5 Distributed Cloud Container Registry (with Azure ACR, it is pretty easy - copy and paste the ACR hostname, username and password)

Published Jun 12, 2023
Version 1.0

Was this article helpful?


  • Nikoolayy1 I'm almost 99,9999% sure we can do it as the N+ in vk8s has access to the F5XC internal DNS to resolve the internal LB exposed on the CE.

  • Great article Matt_Dierick . Another good question is if you can send traffic to a not public application without public ip address that is connected with a CE Edge using Nginx on RE as using Nginx on CE with vK8s will solve this but I wonder if there is a way to use the NGINX on the RE and then forward traffic to the CE Edge.

    Maybe if an LB is created on the local CE node and NGINX has in the server farm the LB ip address that on the CE but I never tested this if traffic will be forwarded from the RE to the CE using the IPsec tunnel.