In an enterprise environment, the need for a dynamic setup is a must. For example, when running multiple UVM's and a BIG IP F5, the console role can be run anywhere as the loadbalancer will know where to send you. Like most setups, the password safe will have a different URL from the console. Example: pam.internal.corp and pamconsole.internal.corp.
This works perfectly when using the build in forms login. It's possible to have the passwordsafe role running on all out UVM's. We can change the console role when ever we want. All works seemingly.
Except,.... when you setup a more secure way of authentication, like SAML.
As the current design hosts both passwordsafe and console in the same application and there is only one SAML setup possible, there is no way to get this to work.
Only solution offered was to isolate one UVM to make that dedicated console. Which would mean one less passwordsafe worker node. Also more static setup so less flexible. Also the there might me no need for a complex load balance setup any more, as it became a static setup.
One very easy solution would be to give the console it's own webapp.
Atm there is only one present for SAML:
It would be easy to add a second, which has SAML configured for the console URL: