Forum Discussion
Roman_178798
Nimbostratus
NimbostratusAPM is not forwarding authentication token to ADFS
Hello experts,
we configured ADFS on F5, in deployment guide, the name is Securing AD FS with the BIG-IP APM.
Customer had another demmand, to authenticat with UPN only, not with SAMACCOUNTNAME....
Stanislas_Piro2
Cumulonimbus
CumulonimbusHi,
The VPE can be following:
- Logon Page
-
query AD to retrieve following attributes (with filter UserPrincipalName=%{session.logon.last.username} )
- sAMAccountName
- memberOf (if you filter based on member group)
-
Variable Assign
- session.logon.last.username = AD attribute name sAMAccountName
- session.logon.last.ntdomain = Text COMPANY (static value as it is not store as AD Attribute)
- session.logon.last.krbdomain = Session Variable session.ad.last.actualdomain
- AD Auth
- SSO Credential mapping
Then in SSO, replace session.logon.last.domain with: - NTLM : session.logon.last.ntdomain - Kerberos : session.logon.last.krbdomain
You can then choose one of both SSO method.
For the Kerberos SSO, the user must be create with following parameters:
- One PTR record on PTR on IP 1.2.3.4 --> adfs.company.local
The delegation user mus be created with:
- Samaccountname: f5deleg
- UPN : F5deleg@company.local
- SPN : host/F5deleg.company.local (defined with setspn command or editing attribute in attributes tab)
- Delegation authorization: HTTP/adfs.company.local
In Kerberos SSO:
- User Realm Source - company.local
- leave username source with default value (or session.ad.last.attr.sAMAccountName)
- set domain source with session.logon.last.krbdomain (created in VPE above)
