For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Graham_Alderson's avatar
Graham_Alderson
Historic F5 Account
Jan 05, 2017

It depends on how the application needs to receive them. You could inject the values into a header, form fill them, or use Kerberos as examples.

 

After the SAML Auth agent in the policy you'll have some session variables like:

 

session.saml.last.nameIDValue (This is the subject NameID)

 

session.saml.last.attr.name.myattributename (This will be whatever your attribute is named in your ADFS implementation)

 

You could use those session variables or you use a Variable Assign agent to move them into something else, such as session.logon.last.username or session.sso.token.last.username.

 

I'd suggest header insert if you have an option as it is simple to build into an application. You can do it with an iRule or a Per Request Policy. In the Per Request Policy insertion method you can leverage the session variable by calling %{session.saml.last.nameIDValue} as the value you're inserting into the header. Then just have your application configured to read that out of the header.

 

AN's avatar
AN
Icon for Nimbostratus rankNimbostratus
Jan 05, 2017

Hi Graham,

 

Thanks for your response. Actually it's kind of complicated splunk is configured for ldap and they have authorization based on groups.

 

Now I have F5 as SP configured and ADFS as Idp... I able to get above configuration working by unchecking following underSecurity Settings: Authentication Request Want Signed Assertion Unchecked Want Encrypted Assertion

 

Now challenge is to make splunk use SAML...