For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

gsriramalu's avatar
gsriramalu
Icon for Nimbostratus rankNimbostratus
Nov 26, 2024

F5APM SSO SAML OAUTH

I am trying to integrate F5 APM with Citrix. Setup: F5 APM SAML SP Azure AD SAML IDP SSO to Citrix Issue: New Citrix version don't support Kerberos token, so after the successful SAML authent...
APM SSO SAML OAuth
VGF5's avatar
VGF5
Icon for Cumulonimbus rankCumulonimbus
Jan 22, 2025

To achieve this, you need to capture the credentials from the F5 APM logon page and use them in the SAML authentication flow. This can be tricky because typically SAML flows do not involve passing raw credentials directly. Here’s how you might approach it:

Access Policy Steps:

  1. Logon Page:
    • Create a custom logon page to capture the username and password.
    • Set session variables (e.g., session.logon.last.username and session.logon.last.password).
  2. SAML Authentication:
    • Use the session variables to populate the necessary SAML attributes.
    • Perform the SAML authentication with Azure AD as the IDP.
  3. SSO to Citrix:
    • After successful SAML authentication, use the captured credentials to perform SSO to Citrix StoreFront.

Example:

when ACCESS_POLICY_AGENT_EVENT {
    # Capture the username and password from the logon page
    set username [ACCESS::session data get "session.logon.last.username"]
    set password [ACCESS::session data get "session.logon.last.password"]

    # Populate SAML attributes with captured credentials
    ACCESS::session data set "session.saml.authnrequest.attribute.username" $username
    ACCESS::session data set "session.saml.authnrequest.attribute.password" $password
}

when SAML_REQUEST_SEND {
    # Modify the SAML request if needed
    set saml_request [SAML::request]
    # Custom modifications to the SAML request can be done here
    SAML::request $saml_request
}

when SAML_RESPONSE {
    # Handle the SAML response
    set saml_response [SAML::response]
    # Custom handling of the SAML response can be done here
    SAML::response $saml_response
}

when ACCESS_POLICY_COMPLETED {
    if { [ACCESS::policy result] eq "allow" } {
        # On successful SAML authentication, perform SSO to Citrix StoreFront
        set username [ACCESS::session data get "session.logon.last.username"]
        set password [ACCESS::session data get "session.logon.last.password"]

        # Perform SSO to Citrix StoreFront using the captured credentials
        # This might involve crafting an HTTP POST to StoreFront with the credentials
        # Example:
        HTTP::request "POST /Citrix/StoreWeb/Authentication HTTP/1.1\r\nHost: storefront.example.com\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nusername=$username&password=$password"
    }
}