I'm using F5 instance in AWS as SP in SAML. IDP is on premise ADFS. Authentication against IDP and assertion from IDP is working fine. How I can forward crendetials (username or email attribute) to the back end application sitting in AWS. Application doesn't support SAML.

@spalan I am trying to configure (ADFS as iDP and F5 APM as SP). I couldn't find any documentation and help on it. For you seems like ADFS aseertion and authentication are working. I have APM Policy as Start -> SAML Auth -> SSO Credentail Mapping -> Allow Deny I imported XML file into External Idp Connectors under SAML-> BIG IP as SP Local SP Services configured as following General Setting ~~~~~~~~~~~~~~~ Name: F5-SP Entity ID: https://login.example.com SP Name Settings: Scheme: https Host: login.example.com Endpoint Settings: ~~~~~~~~~~~~~~~~~ Assertion Consumer SErvice Binding: POST Security Settings: Checked "Authentication Request" (certificate and Keys are selected different than ADFS) Checked: Want Signed Assertion Unchecked: Want Encrypted Assertion Advanced Setting: Unchecked: Force Authentication Checked: Allow Name-Identifier Creation Name-Identifier Policy Format: urn:oasis:names:tc:SANL:1.1:nameid-format:WindowsDomainQual... SP Name-Identifier Qualifier: None I am getting following error: /frontend/F5-SP:frontend:dbad7144: Executed agent '/frontend/F5-SP_act_saml_auth_ag', return value 3 /frontend/F5-SP:frontend:dbad7144: Session variable 'saml./frontend/F5-SP_act_saml_auth_ag.SAMLRequest' set to 'hhhhhhhhhhhhXXXXXX' /frontend/F5-SP:frontend:dbad7144: SAML Agent: /frontend/F5-SP_act_saml_auth_ag SAML assertion is invalid, error: Assertion status is not successful /frontend/F5-SP:frontend:dbad7144: Executed agent '/frontend/F5-SP_act_saml_auth_ag', return value 0 /frontend/F5-SP:frontend:dbad7144: Following rule 'fallback' from item 'SAML Auth' to ending 'Deny'

It depends on how the application needs to receive them. You could inject the values into a header, form fill them, or use Kerberos as examples. After the SAML Auth agent in the policy you'll have some session variables like: session.saml.last.nameIDValue (This is the subject NameID) session.saml.last.attr.name.myattributename (This will be whatever your attribute is named in your ADFS implementation) You could use those session variables or you use a Variable Assign agent to move them into something else, such as session.logon.last.username or session.sso.token.last.username. I'd suggest header insert if you have an option as it is simple to build into an application. You can do it with an iRule or a Per Request Policy. In the Per Request Policy insertion method you can leverage the session variable by calling %{session.saml.last.nameIDValue} as the value you're inserting into the header. Then just have your application configured to read that out of the header.

Hi Graham, Thanks for your response. Actually it's kind of complicated splunk is configured for ldap and they have authorization based on groups. Now I have F5 as SP configured and ADFS as Idp... I able to get above configuration working by unchecking following underSecurity Settings: Authentication Request Want Signed Assertion Unchecked Want Encrypted Assertion Now challenge is to make splunk use SAML...

Sorry, @Anu Momin, I was commenting on the original question, not your comment, so my answer may not have made sense for your scenario. A couple things to consider for your scenario... I would use caution proceeding without enforcing a signed assertion (the "Want Signed Assertion" value). Without that someone may be able to forge an assertion and pretend to be another user. One possible thing to consider for your situation with the assertion validation issue is that when importing the XML for the external IdP connector it may not have properly imported or attached the ADFS signing certificate. You could go into the external IdP connector and check the "Security Settings" section and see if the IdP Assertion Verification Certificate is selected there. Regarding the backend auth, it sounds like you're on the right track and moving towards getting Splunk to use SAML auth, since you won't be able to just form fill a logon page that does LDAP on the backend since you don't get the password from ADFS.

Graham, My apology I thought you responded to my comment. So in SP setting I just need to have "Want Signed Assertion" and not to worry about any other stuff? I have checked and IDP Assertion Verification Certificate has valid Cert. I went though some options available on Splunk https://docs.splunk.com/Documentation/Splunk/6.5.1/Security/HowSAMLSSOworks and found they have configure SSO with all other providers (AD FS AzureAD Okta) expect f5. Seems like splunk has option for SAML to work only with IdP I am trying to understand If I have SP how would this will change their config. -If I got it right with BID IP as SP, BIGIP will send SAML info to backend server and server doesn't need to redirect user again to IdP. Other option they have available is ProxySSO where proxy passes user identity and groups to Splunk Web through HTTP headers.

F5 APM as SP | DevCentral

12 Replies

AN
Nimbostratus
Jan 05, 2017
@spalan

I am trying to configure (ADFS as iDP and F5 APM as SP). I couldn't find any documentation and help on it. For you seems like ADFS aseertion and authentication are working. I have APM Policy as

Start -> SAML Auth -> SSO Credentail Mapping -> Allow

Deny

I imported XML file into External Idp Connectors under SAML-> BIG IP as SP

Local SP Services configured as following General Setting ~~~~~~~~~~~~~~~ Name: F5-SP Entity ID: https://login.example.com SP Name Settings: Scheme: https Host: login.example.com

Endpoint Settings: ~~~~~~~~~~~~~~~~~ Assertion Consumer SErvice Binding: POST

Security Settings: Checked "Authentication Request" (certificate and Keys are selected different than ADFS) Checked: Want Signed Assertion Unchecked: Want Encrypted Assertion

Advanced Setting: Unchecked: Force Authentication Checked: Allow Name-Identifier Creation

Name-Identifier Policy Format: urn:oasis:names:tc:SANL:1.1:nameid-format:WindowsDomainQual...

SP Name-Identifier Qualifier: None

I am getting following error: /frontend/F5-SP:frontend:dbad7144: Executed agent '/frontend/F5-SP_act_saml_auth_ag', return value 3 /frontend/F5-SP:frontend:dbad7144: Session variable 'saml./frontend/F5-SP_act_saml_auth_ag.SAMLRequest' set to 'hhhhhhhhhhhhXXXXXX' /frontend/F5-SP:frontend:dbad7144: SAML Agent: /frontend/F5-SP_act_saml_auth_ag SAML assertion is invalid, error: Assertion status is not successful /frontend/F5-SP:frontend:dbad7144: Executed agent '/frontend/F5-SP_act_saml_auth_ag', return value 0 /frontend/F5-SP:frontend:dbad7144: Following rule 'fallback' from item 'SAML Auth' to ending 'Deny'
Graham_Alderson
Historic F5 Account
Jan 05, 2017
It depends on how the application needs to receive them. You could inject the values into a header, form fill them, or use Kerberos as examples.

After the SAML Auth agent in the policy you'll have some session variables like:

session.saml.last.nameIDValue (This is the subject NameID)

session.saml.last.attr.name.myattributename (This will be whatever your attribute is named in your ADFS implementation)

You could use those session variables or you use a Variable Assign agent to move them into something else, such as session.logon.last.username or session.sso.token.last.username.

I'd suggest header insert if you have an option as it is simple to build into an application. You can do it with an iRule or a Per Request Policy. In the Per Request Policy insertion method you can leverage the session variable by calling %{session.saml.last.nameIDValue} as the value you're inserting into the header. Then just have your application configured to read that out of the header.
- AN
  Nimbostratus
  Jan 05, 2017
  Hi Graham,
  
  Thanks for your response. Actually it's kind of complicated splunk is configured for ldap and they have authorization based on groups.
  
  Now I have F5 as SP configured and ADFS as Idp... I able to get above configuration working by unchecking following underSecurity Settings: Authentication Request Want Signed Assertion Unchecked Want Encrypted Assertion
  
  Now challenge is to make splunk use SAML...
- Graham_Alderson
  Historic F5 Account
  Jan 05, 2017
  Sorry, @Anu Momin, I was commenting on the original question, not your comment, so my answer may not have made sense for your scenario.
  
  A couple things to consider for your scenario...
  
  I would use caution proceeding without enforcing a signed assertion (the "Want Signed Assertion" value). Without that someone may be able to forge an assertion and pretend to be another user.
  
  One possible thing to consider for your situation with the assertion validation issue is that when importing the XML for the external IdP connector it may not have properly imported or attached the ADFS signing certificate. You could go into the external IdP connector and check the "Security Settings" section and see if the IdP Assertion Verification Certificate is selected there.
  
  Regarding the backend auth, it sounds like you're on the right track and moving towards getting Splunk to use SAML auth, since you won't be able to just form fill a logon page that does LDAP on the backend since you don't get the password from ADFS.
- AN
  Nimbostratus
  Jan 06, 2017
  Graham, My apology I thought you responded to my comment. So in SP setting I just need to have "Want Signed Assertion" and not to worry about any other stuff?
  
  I have checked and IDP Assertion Verification Certificate has valid Cert.
  
  I went though some options available on Splunk https://docs.splunk.com/Documentation/Splunk/6.5.1/Security/HowSAMLSSOworks and found they have configure SSO with all other providers (AD FS AzureAD Okta) expect f5.
  
  Seems like splunk has option for SAML to work only with IdP I am trying to understand If I have SP how would this will change their config.
  
  -If I got it right with BID IP as SP, BIGIP will send SAML info to backend server and server doesn't need to redirect user again to IdP.
  
  Other option they have available is ProxySSO where proxy passes user identity and groups to Splunk Web through HTTP headers.

Forum Discussion

F5 APM as SP

12 Replies

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Checking for X-Forwarded-For against an Address Data-Group

SSL Bridging and FQDN rewrite Policy

Cisco TACACS+ Config on ISE LTM Pair

iRule causing requests to be duplicated (sometimes)

How can I get started with iCall

Related Content

F5 BIG-IP APM with Omnissa Workspace ONE Access

Implementing basic OAuth with F5 BIG-IP APM

Bypass Azure Login Page with OAuth login_hint on F5 BIG-IP APM

F5 HTTPS Redirect 2025

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS