APM with SAML for some, AD for others

Question

How do I use SAML for some users, but AD authentication for others.&nbsp;
I have a lab setup where I am using SAML to authenticate to a web page.  My F5 SP provides a login page which asks for email address.  My policy looks like this....&nbsp;
&nbsp;
Under BIgIP as SP I have a binding that binds my IdP with %{session.logon.last.domain} and a domain name.  This functions correctly.&nbsp;
I would like to use the domain part of the email address to determine if SAML is required or AD authentication is required but I can not figure out how to add an AD authenticated domain as a SAML binding.  I have been told that maybe a 'empty box' agent could help but I have not been able to find an example of its use.&nbsp;

niels_van_sluis · Answer

You could extract the domain from the email address and set it with a 'variable assign'. Use  something like this:
session.logon.last.domain = expr { [lindex [split [mcget {session.logon.last.username}] "@"] 1] }

Then you can create an 'Empty Action' to create a Domain Decision box, to do either SAML auth or AD auth. For an example see:
https://devcentral.f5.com/articles/apm-cookbook-multiple-domain-authentication-part-1

Forum Discussion

APM with SAML for some, AD for others

Recent Discussions

BIG-IP Edge Endpoint Inspection Failure pre-VPN

How to export a list of paired external service providers from APM?

How to Renew F5 Device Certificate

BIG IP LTM - Multiple application on single VIP with multiple ports allowed.

Service discovery is not happening in AS3

Related Content

Trying to Fill Some Giant Shoes...

Parsing tmsh command output with Python TextFSM module and some Lessons learned

Some Services are More Equal than Others

How to limit some snmp mib access

need some help with a AS3 declaration

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS