Forum Discussion

kbasa_279826's avatar
kbasa_279826
Icon for Nimbostratus rankNimbostratus
Aug 02, 2016

AD attributes in SAML assertion

Configured BIG-IP as an IDP and registered SAML Application as SP. Added an AD Authentication and everything works as expected.   But now would like to pass few user attributes in the SAML asserti...
AAM
access and identity
active directory
ad authentication
BIG-IP Access Policy Manager (APM)
saml
saml assertion
security
  • Michael_Koyfman's avatar
    Michael_Koyfman
    Aug 02, 2016

    Your first screenshot looks good/right, except that you probably want to give your attribute a much friendlier name(unless your application really wants/needs/expects that long name in http:// format). In order to get that AD Attribute, you need to do AD Query, so your policy looks right. I would suggest changing AD Query outcome to "AD Query Passed" result and you should be all set. If you want to support IDP-initiated logins or more than one SP at the same IDP, I suggest you create SAML Resources and then assign them via Resource Assignment VPE action along with the webtop for better user experience.

     

Michael_Koyfman's avatar
Michael_Koyfman
Icon for Cirrocumulus rankCirrocumulus
Aug 02, 2016

Your first screenshot looks good/right, except that you probably want to give your attribute a much friendlier name(unless your application really wants/needs/expects that long name in http:// format). In order to get that AD Attribute, you need to do AD Query, so your policy looks right. I would suggest changing AD Query outcome to "AD Query Passed" result and you should be all set. If you want to support IDP-initiated logins or more than one SP at the same IDP, I suggest you create SAML Resources and then assign them via Resource Assignment VPE action along with the webtop for better user experience.

 

  • kbasa_279826's avatar
    kbasa_279826
    Icon for Nimbostratus rankNimbostratus
    Aug 04, 2016

    Thank you Michael, the suggested changes worked.