For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jefp_185700's avatar
jefp_185700
Icon for Nimbostratus rankNimbostratus
Oct 28, 2015

ADFS configuration with APM fails when SAM and UPN are NOT identically

Hi guys,

 

just if somebody has an idea about this. We have a customer who is using an adfs setup together with apm. For older users upn and sam account name are not the same, for newer users they are the same. Now only the new users can logon and older users get a popup and failing after 3 attempts...anybody has ever seen this? some configuration:

 

apm policy agent aaa-ldap /Common/ACCESS_PROFILE_XXX_act_ldap_auth_ag { filter "UserPrincipalName=%{session.logon.last.username}" search-dn dc=limbour,dc=be server /Common/PROVLIMB_LDAP type auth } apm policy agent ending-allow /Common/ACCESS_PROFILE_XXX_end_allow_ag { } apm policy agent ending-deny /Common/ACCESS_PROFILE_XXX_end_deny_ag { customization-group /Common/ACCESS_PROFILE_XXX_end_deny_ag } apm policy agent logon-page /Common/ACCESS_PROFILE_XXX_act_logon_page_ag { customization-group /Common/ACCESS_PROFILE_XXX_act_logon_page_ag } apm policy agent variable-assign /Common/ACCESS_PROFILE_XXX_act_sso_credential_mapping_ag { type sso-cred-mapping variables { { expression "mcget {session.logon.last.username}" varname session.sso.token.last.username } { expression "mcget {session.logon.last.password}" varname session.sso.token.last.password } } }

 

BIG-IP Access Policy Manager (APM)
design
security

4 Replies

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Oct 28, 2015

    Hi,

     

    Can you explain the configuration?

     

    ADFS is the identity provider and the APM is the service provider. is that true?

     

    • if it is, why are you configuring ldap auth?
    • where is the SAML auth box in your configuration?
    • can you post screenshot of the VPE?
  • jefp_185700's avatar
    jefp_185700
    Icon for Nimbostratus rankNimbostratus
    Oct 28, 2015

    hello Stanislas,

     

    thanks for the quick reply. It's a customer setup, we are just contacted to fix the issue. initial configuration was done by them according the deployment guide: https://www.f5.com/pdf/deployment-guides/microsoft-adfs-dg.pdf But it works for users who have the same SAM and UPN name, we don't use SAML auth in VPE so I find it very strange it's failing when SAM name is changed... VPE is very simple: logon page - LDAP auth with UserPrincipalName in the search field and afterwards SSO credential mapping...and it works perfectly (but unfortunately only for users who are recently created)

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Oct 28, 2015

    Hi,

    you are talking about ADFS but there is no ADFS authentication... I think this is a LDAP authentication...

    in your configuration, the logon page may strip domain from username.

    can you check variables session.logon.last.username and session.logon.last.logonname values?

    try to change LDAP auth filter to:

    (|(sAMAccountName=%{session.logon.last.username})(UserPrincipalName=%{session.logon.last.logonname}))
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Oct 30, 2015

    So the ADFS server is behind the APM virtual server.

     

    after the LDAP auth with filter I provided, create a LDAP query to get the samaccountname attribute.

     

    then change SSO credential mapping username to retrieve username from session.ldap.last.attr.SAMAccountName instead of logon page username.