Forum Discussion
NimbostratusF5 APM as SP
It depends on how the application needs to receive them. You could inject the values into a header, form fill them, or use Kerberos as examples.
After the SAML Auth agent in the policy you'll have some session variables like:
session.saml.last.nameIDValue (This is the subject NameID)
session.saml.last.attr.name.myattributename (This will be whatever your attribute is named in your ADFS implementation)
You could use those session variables or you use a Variable Assign agent to move them into something else, such as session.logon.last.username or session.sso.token.last.username.
I'd suggest header insert if you have an option as it is simple to build into an application. You can do it with an iRule or a Per Request Policy. In the Per Request Policy insertion method you can leverage the session variable by calling %{session.saml.last.nameIDValue} as the value you're inserting into the header. Then just have your application configured to read that out of the header.
NimbostratusGraham, My apology I thought you responded to my comment. So in SP setting I just need to have "Want Signed Assertion" and not to worry about any other stuff?
I have checked and IDP Assertion Verification Certificate has valid Cert.
I went though some options available on Splunk https://docs.splunk.com/Documentation/Splunk/6.5.1/Security/HowSAMLSSOworks and found they have configure SSO with all other providers (AD FS AzureAD Okta) expect f5.
Seems like splunk has option for SAML to work only with IdP I am trying to understand If I have SP how would this will change their config.
-If I got it right with BID IP as SP, BIGIP will send SAML info to backend server and server doesn't need to redirect user again to IdP.
- Other option they have available is ProxySSO where proxy passes user identity and groups to Splunk Web through HTTP headers.
