Forum Discussion

Jonathon_Page's avatar
Jonathon_Page
Icon for Nimbostratus rankNimbostratus
Mar 24, 2016

AutoFill username for Office 365 Federation

Hi. This is a simple question but I can't find a solution and ee are just getting started with our F5 implementation. I have deployed the office 365 federation using the f5.microsoft_office_365_idp.v1.1.0 iApp. I've got things working but when it redirects to my login page on the F5 the username field is blank, is this normal? is there any way to get the username from O365 and pre-populate that field?

 

Thanks for any help Jon

 

BIG-IP Access Policy Manager (APM)
cloud
federation
o365
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Mar 27, 2016

    Hello,

     

    It's currently not possible to pass attributes in the authrequest.

     

    As an alternative, you may configure SAML IDP initiated authentication. This way, the user complete the authentication process and is then redirected to the O365.

     

  • Andrew_Husking's avatar
    Andrew_Husking
    Icon for Cirrus rankCirrus
    Mar 29, 2016

    We got this working in our environment.

    The following iRule was used to capture the username from the incoming request from o365.

    when ACCESS_POLICY_AGENT_EVENT { 
if { [ACCESS::policy agent_id] eq "GetURIusername" } {
    set username [string map -nocase {"%40" "@"} [URI::query [ACCESS::session data get session.server.landinguri] username]]
    log local0. "Username = $username"

    ACCESS::session data set session.custom.foundusername "1"   
    ACCESS::session data set session.custom.upn $username
    ACCESS::session data set session.logon.last.username [lindex [ split $username "@"] 0]

}

    }

    After that we have a branch rule that if session.custom.foundusername = 1 it goes to a logon page with a READ ONLY username field. If it's not set, you get a standard logon page.

    If you don't have the username as read only it's not populated.

    Note that in our iRule we removed the domain from the input as it caused issues.

    HTH

  • Jonathon_Page's avatar
    Jonathon_Page
    Icon for Nimbostratus rankNimbostratus
    Mar 31, 2016

    Hi. I found that I had to add an additional iRule on the http_request to parse the referer to get the username and then append it to the URI if it contained a username parameter. Here is my final iRule

    when HTTP_REQUEST {
     if { [HTTP::uri] starts_with "/saml/idp/profile/redirectorpost/sso" } {
          if { [HTTP::header exists "Referer"] } {
               set received_referer [HTTP::header "Referer"]
               log local0. $received_referer
               if { $received_referer contains "username="} {
                    log local0. "referer has username"
                    set username [URI::decode [URI::query $received_referer username]]
                    log local0. $username
                     HTTP::uri "/saml/idp/profile/redirectorpost/sso?username=[string map -nocase {"@" "%40"}$username]"
               }
               unset received_referer
           }
     }
}
when ACCESS_POLICY_AGENT_EVENT { 
if { [ACCESS::policy agent_id] eq "GetURIusername" } {
    set username [string map -nocase {"%40" "@"} [URI::query [ACCESS::session data get session.server.landinguri] username]]
    log local0. "NewUsername = $username"
    if  {$username != ""} {
         ACCESS::session data set session.custom.foundusername "1"  
         ACCESS::session data set session.custom.upn $username
         ACCESS::session data set session.logon.last.username $username
    }
}
}
    • mike_drennen_16's avatar
      mike_drennen_16
      Icon for Cirrus rankCirrus
      Aug 22, 2017

      Is this still working for you? We are needing to implement something like this to autopopulate the username on the F5 logon screen for SP initiated requests.

       

      Thanks,

       

      Mike