Forum Discussion

kbasa_279826's avatar
kbasa_279826
Icon for Nimbostratus rankNimbostratus
Aug 02, 2016

AD attributes in SAML assertion

Configured BIG-IP as an IDP and registered SAML Application as SP. Added an AD Authentication and everything works as expected.

 

But now would like to pass few user attributes in the SAML assertion , such as emailaddress of the user. I understand that just adding the attributes in the local IDP would not help.

 

 

also i tried to change the Access Profile

 

 

Could someone list the steps in detail to fetch the attributes from Active Directory and pass the same in SAML assertion.?

 

  • Your first screenshot looks good/right, except that you probably want to give your attribute a much friendlier name(unless your application really wants/needs/expects that long name in http:// format). In order to get that AD Attribute, you need to do AD Query, so your policy looks right. I would suggest changing AD Query outcome to "AD Query Passed" result and you should be all set. If you want to support IDP-initiated logins or more than one SP at the same IDP, I suggest you create SAML Resources and then assign them via Resource Assignment VPE action along with the webtop for better user experience.

     

  • Your first screenshot looks good/right, except that you probably want to give your attribute a much friendlier name(unless your application really wants/needs/expects that long name in http:// format). In order to get that AD Attribute, you need to do AD Query, so your policy looks right. I would suggest changing AD Query outcome to "AD Query Passed" result and you should be all set. If you want to support IDP-initiated logins or more than one SP at the same IDP, I suggest you create SAML Resources and then assign them via Resource Assignment VPE action along with the webtop for better user experience.

     

  • Your first screenshot looks good/right, except that you probably want to give your attribute a much friendlier name(unless your application really wants/needs/expects that long name in http:// format). In order to get that AD Attribute, you need to do AD Query, so your policy looks right. I would suggest changing AD Query outcome to "AD Query Passed" result and you should be all set. If you want to support IDP-initiated logins or more than one SP at the same IDP, I suggest you create SAML Resources and then assign them via Resource Assignment VPE action along with the webtop for better user experience.