Forum Discussion
Johan_Lång
Cirrus
CirrusADFS Proxy without password
Hello!
When a SP-initiated federation is initiated and the user gets to BIGIP APM you normally use a Logon page and send their credentails to ADFS with a "forms client initiated SSO".
But imagine a scenario when your users is authenticated through a "SAML Auth", BIGIP only has access to their username. When BIGIP tries to pass credentails with forms client initiated sso this fails because BIGIP is unaware of the password and therefore redirected to ADFS Form-based login page.
Is there any workaround for this ? One workaround is to throw up a logon page after a successfull saml auth but I need a passwordless logon for my purposes.
Regards,
Johan
I figured it out. You need to configure a new claims provider (in this case BankID) and make it available to the RPs. Then you need to make BIGIP to choose wether to use the new CP or Active directory with an iRule.
Leonardo_SouzaCirrocumulus
Encrypt the SAML assertion (as it will be in the person browser), and pass the password as attributes in the SAML.
Extract the SAML attribute and add the value to the password variable in APM.
Johan_LångBut there is no password to encrypt? The external idp only provices us with a "personal identity number" in the saml. Neither does these users has any account in our AD.
- Leonardo_Souza
The external IDP needs to send you not only the "personal identity number" but also the password.
So, you need to do SSO with username and password, but you only have username.
The IDP needs to provide you the passwod in the SAML assertion, or you need to ask the user using a logon page as you already said.
- Johan_Lång
Here in Sweden we have something called "BankID" issued by our banks. This enables a 2fa, The bank issues a certificate and the user has a pincode. Together with this method you can federate with saml as in our case, bankid sends only The personal identity number back as a subject name.
Thats it. There is no password to begin with. And no, its not possible to send over the pin code and that would not matter anyhow.
Ive read alot of posts about adfs proxy, and tried to figure out wether you can make big-ip send a kerberos token (or something else that would fit) or not, but it seems adfs proxy is very limited.
/Johan
- Leonardo_Souza
If the iDP can't send you the password, and I understand why not, you can't use the username and password to authenticate to the internal application/service, that in this case is ADFS.
Unless you can setup ADFS as SAML SP for that external iDP, or ADFS can accept what you receive in the SAML assertion (BankID for example) for authentication, I don't see any valid option.
- Johan_Lång
I figured it out. You need to configure a new claims provider (in this case BankID) and make it available to the RPs. Then you need to make BIGIP to choose wether to use the new CP or Active directory with an iRule.