Forum Discussion
Johan_Lång
Cirrus
CirrusADFS Proxy without password
Hello! When a SP-initiated federation is initiated and the user gets to BIGIP APM you normally use a Logon page and send their credentails to ADFS with a "forms client initiated SSO". Bu...
I figured it out. You need to configure a new claims provider (in this case BankID) and make it available to the RPs. Then you need to make BIGIP to choose wether to use the new CP or Active directory with an iRule.
Leonardo_Souza
Cirrocumulus
CirrocumulusThe external IDP needs to send you not only the "personal identity number" but also the password.
So, you need to do SSO with username and password, but you only have username.
The IDP needs to provide you the passwod in the SAML assertion, or you need to ask the user using a logon page as you already said.
Johan_LångHere in Sweden we have something called "BankID" issued by our banks. This enables a 2fa, The bank issues a certificate and the user has a pincode. Together with this method you can federate with saml as in our case, bankid sends only The personal identity number back as a subject name.
Thats it. There is no password to begin with. And no, its not possible to send over the pin code and that would not matter anyhow.
Ive read alot of posts about adfs proxy, and tried to figure out wether you can make big-ip send a kerberos token (or something else that would fit) or not, but it seems adfs proxy is very limited.
/Johan