For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Seth_Luther_121's avatar
Seth_Luther_121
Icon for Nimbostratus rankNimbostratus
Oct 17, 2015

APM v12 SAML-idp and Office 365 Implementation

Here is my scenario:

 

1.) Internal AD is using a domain name of xyz.com

 

2.) External domain is abc.com

 

3.) Using APM v12 I am trying to implement SAML-idp using the predefined Office 365 template so I can do away with ADFS completely.

 

4.) I have a custom login page that APM will use to ask my users to enter their complete e-mail address (user.name@abc.com) then their password.

 

5.) I need to authenticate to my AD somehow using the credentials in step 4 however abc.com is not a true MS AD domain. How can I create a custom method to query the UPN and then assign the end users SAMAccount to a variable then allow AD to authenticate the user to AD against xyz.com

 

I have reviewed lots of information but nothing has really helped me on this one area. I can't authenticate using my UPN.

 

If anyone has succesfully implemented SAML with Office 365 and SSO, can you offer some help based on your experiences?

 

BIG-IP Access Policy Manager (APM)
cloud
deployment
design
devops
iApps
security

5 Replies

  • Michael_Koyfman's avatar
    Michael_Koyfman
    Icon for Cirrocumulus rankCirrocumulus
    Oct 17, 2015

    Is there a reason you don't want to ask them to enter their samaccountname to begin with? Just curious. Else, you would have to do an AD Query first and search for upn name there(put userprincipalname = %{session.logon.last.username}, and then set the Samaccountname name to the username variable to session.logon.last.username variable before running AD Auth action.

     

    • Seth_Luther_121's avatar
      Seth_Luther_121
      Icon for Nimbostratus rankNimbostratus
      Oct 17, 2015
      This is mostly because of how Office 365 is authenticating our users now currently in a federated setup. I was thinking I would have to put an AD query before the AD Auth but I am stuck on how to accomplish this. I am new to ASM and just hitting the normal learning curve. How would you set the Samaccount name before hitting the ad auth? Or more as in setting up a variable to hold this information then pass it over to the AD Auth for validation.
  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Oct 17, 2015

    Is there a reason you don't want to ask them to enter their samaccountname to begin with? Just curious. Else, you would have to do an AD Query first and search for upn name there(put userprincipalname = %{session.logon.last.username}, and then set the Samaccountname name to the username variable to session.logon.last.username variable before running AD Auth action.

     

    • Seth_Luther_121's avatar
      Seth_Luther_121
      Icon for Nimbostratus rankNimbostratus
      Oct 17, 2015
      This is mostly because of how Office 365 is authenticating our users now currently in a federated setup. I was thinking I would have to put an AD query before the AD Auth but I am stuck on how to accomplish this. I am new to ASM and just hitting the normal learning curve. How would you set the Samaccount name before hitting the ad auth? Or more as in setting up a variable to hold this information then pass it over to the AD Auth for validation.
  • Seth_Luther_121's avatar
    Seth_Luther_121
    Icon for Nimbostratus rankNimbostratus
    Oct 17, 2015

    This is mostly because of how Office 365 is authenticating our users now currently in a federated setup. I was thinking I would have to put an AD query before the AD Auth but I am stuck on how to accomplish this. I am new to ASM and just hitting the normal learning curve.

     

    How would you set the Samaccount name before hitting the ad auth? Or more as in setting up a variable to hold this information then pass it over to the AD Auth for validation.