Forum Discussion
NimbostratusF5 APM as SP
It depends on how the application needs to receive them. You could inject the values into a header, form fill them, or use Kerberos as examples.
After the SAML Auth agent in the policy you'll have some session variables like:
session.saml.last.nameIDValue (This is the subject NameID)
session.saml.last.attr.name.myattributename (This will be whatever your attribute is named in your ADFS implementation)
You could use those session variables or you use a Variable Assign agent to move them into something else, such as session.logon.last.username or session.sso.token.last.username.
I'd suggest header insert if you have an option as it is simple to build into an application. You can do it with an iRule or a Per Request Policy. In the Per Request Policy insertion method you can leverage the session variable by calling %{session.saml.last.nameIDValue} as the value you're inserting into the header. Then just have your application configured to read that out of the header.
ANHi Graham,
Thanks for your response. Actually it's kind of complicated splunk is configured for ldap and they have authorization based on groups.
Now I have F5 as SP configured and ADFS as Idp... I able to get above configuration working by unchecking following underSecurity Settings: Authentication Request Want Signed Assertion Unchecked Want Encrypted Assertion
Now challenge is to make splunk use SAML...
Sorry, @Anu Momin, I was commenting on the original question, not your comment, so my answer may not have made sense for your scenario.
A couple things to consider for your scenario...
I would use caution proceeding without enforcing a signed assertion (the "Want Signed Assertion" value). Without that someone may be able to forge an assertion and pretend to be another user.
One possible thing to consider for your situation with the assertion validation issue is that when importing the XML for the external IdP connector it may not have properly imported or attached the ADFS signing certificate. You could go into the external IdP connector and check the "Security Settings" section and see if the IdP Assertion Verification Certificate is selected there.
Regarding the backend auth, it sounds like you're on the right track and moving towards getting Splunk to use SAML auth, since you won't be able to just form fill a logon page that does LDAP on the backend since you don't get the password from ADFS.
- AN
Graham, My apology I thought you responded to my comment. So in SP setting I just need to have "Want Signed Assertion" and not to worry about any other stuff?
I have checked and IDP Assertion Verification Certificate has valid Cert.
I went though some options available on Splunk https://docs.splunk.com/Documentation/Splunk/6.5.1/Security/HowSAMLSSOworks and found they have configure SSO with all other providers (AD FS AzureAD Okta) expect f5.
Seems like splunk has option for SAML to work only with IdP I am trying to understand If I have SP how would this will change their config.
-If I got it right with BID IP as SP, BIGIP will send SAML info to backend server and server doesn't need to redirect user again to IdP.
- Other option they have available is ProxySSO where proxy passes user identity and groups to Splunk Web through HTTP headers.
I did a bit of searching and it appears Splunk can do header auth for your SSO, that would be a simpler/better way to go I think. Here are some details from the Splunk site: https://docs.splunk.com/Documentation/Splunk/6.5.1/Security/HowSplunkSSOworks
On the APM side you'll create and add an APM "Per Request Policy" to your Virtual Server. In the Per Request Policy you should add an "HTTP Headers" agent (General Purpose Tab). You'll name the header as defined by Splunk and for the value you should put %{session.saml.last.attr.name.myattributename} if your username in an attribute from ADFS or %{session.saml.last.nameIDValue} if your username is in the Subject/NameID from ADFS.
- AN
Thanks Graham,, I will try that out... and will let you know,,
- AN
Hi Graham, I found session variable that I am getting has url in it. session.saml.last.attr.name.http://schemas.microsoft.com/ws/2008/06/identity/claims/role
When I try to print in APM message box
%{session.saml.last.attr.name.http://schemas.microsoft.com/ws/2008/06/identity/claims/role}
I can print following fine: %{session.saml.last.assertionIssueInstant} %{session.saml.last.assertionIssuer}
We have special character (: and /) in session variable that has Role information. how would I pass or even print in my message box.
AN, A quick solution is to a variable assign right before your message box and assign that into a new variable without the special characters. On the left side of the variable assign give it a name, like session.saml.last.myvariable and on the right side choose session variable and put in session.saml.last.attr.name.http://schemas.microsoft.com/ws/2008/06/identity/claims/role. Then use session.saml.last.myvariable in the message box.
- AN
Thanks Graham,... I figured out ,, it suppose to be mcget {session.saml.last.attr.name.http://schemas.microsoft.com/ws/ 2008/06/identity/claims/role}
I am sending variable per request and I can see in my captures information being passed on,.. I will have our splunk team configure proxy server configuration and hoping things will work...
Thanks again for your help...
- AN
Thanks Graham .. lolzzz I just saw you reply,,, Thanks for your help..
- AN
Hi Graham, I have another thread about clientless SSO iRule on following link: https://devcentral.f5.com/questions/clientless-ssocomment46495
I appreciate if you can provide some help...
Thanks.
