Forum Discussion

kbasa_279826's avatar
kbasa_279826
Icon for Nimbostratus rankNimbostratus
Aug 02, 2016

AD attributes in SAML assertion

Configured BIG-IP as an IDP and registered SAML Application as SP. Added an AD Authentication and everything works as expected.   But now would like to pass few user attributes in the SAML asserti...
AAM
access and identity
active directory
ad authentication
BIG-IP Access Policy Manager (APM)
saml
saml assertion
security
  • Michael_Koyfman's avatar
    Michael_Koyfman
    Aug 02, 2016

    Your first screenshot looks good/right, except that you probably want to give your attribute a much friendlier name(unless your application really wants/needs/expects that long name in http:// format). In order to get that AD Attribute, you need to do AD Query, so your policy looks right. I would suggest changing AD Query outcome to "AD Query Passed" result and you should be all set. If you want to support IDP-initiated logins or more than one SP at the same IDP, I suggest you create SAML Resources and then assign them via Resource Assignment VPE action along with the webtop for better user experience.

     

Michael_Koyfma1's avatar
Michael_Koyfma1
Icon for Cirrus rankCirrus

Your first screenshot looks good/right, except that you probably want to give your attribute a much friendlier name(unless your application really wants/needs/expects that long name in http:// format). In order to get that AD Attribute, you need to do AD Query, so your policy looks right. I would suggest changing AD Query outcome to "AD Query Passed" result and you should be all set. If you want to support IDP-initiated logins or more than one SP at the same IDP, I suggest you create SAML Resources and then assign them via Resource Assignment VPE action along with the webtop for better user experience.

 

kbasa_279826's avatar
kbasa_279826
Icon for Nimbostratus rankNimbostratus
Aug 04, 2016

Thank you Michael, the suggested changes worked.