Forum Discussion
F5APM SSO SAML OAUTH
I am trying to integrate F5 APM with Citrix.
Setup:
- F5 APM SAML SP
- Azure AD SAML IDP
- SSO to Citrix
Issue:
New Citrix version don't support Kerberos token, so after the successful SAML authentication, the post assertion will sent the user information as a Kerberos token which then passed to Citrix StoreFront. As the Citrix don't support Kerberos it simply presents you with a StoreFront logon page and ask you to logon again. Basically we have to login twice to launch an application or desktop.
Citrix Workaround:
- Enable SAML on StoreFront
- Create a new external SP connector to StoreFront SAML
- Enable Citrix FAS
- Enable Active Directory CA
- Deploy FAS AD GPO
We can avoid the above design change if we could get the below access policy work:
Start --> Internet Users --> F5 APM External Logon page --> Enter Username & Password --> Capture the Username & Password to a variable --> Input that to right SAML attributes of SAML external IDP connector --> auto feed the username & password to the SAML flow --> on successful SAML authentication --> pass on the username & password from the logon page for the SSO credentials to the StoreFront for SSO
We are not able to figure out a way to capture the username & password from the logon page and pass it to SAML authentication flow.
Any help & guidance in this regards is greatly appreciated.
- f51
Cirrocumulus
To achieve this, you need to capture the credentials from the F5 APM logon page and use them in the SAML authentication flow. This can be tricky because typically SAML flows do not involve passing raw credentials directly. Here’s how you might approach it:
Access Policy Steps:
- Logon Page:
- Create a custom logon page to capture the username and password.
- Set session variables (e.g., session.logon.last.username and session.logon.last.password).
- SAML Authentication:
- Use the session variables to populate the necessary SAML attributes.
- Perform the SAML authentication with Azure AD as the IDP.
- SSO to Citrix:
- After successful SAML authentication, use the captured credentials to perform SSO to Citrix StoreFront.
Example:
when ACCESS_POLICY_AGENT_EVENT {
# Capture the username and password from the logon page
set username [ACCESS::session data get "session.logon.last.username"]
set password [ACCESS::session data get "session.logon.last.password"]# Populate SAML attributes with captured credentials
ACCESS::session data set "session.saml.authnrequest.attribute.username" $username
ACCESS::session data set "session.saml.authnrequest.attribute.password" $password
}when SAML_REQUEST_SEND {
# Modify the SAML request if needed
set saml_request [SAML::request]
# Custom modifications to the SAML request can be done here
SAML::request $saml_request
}when SAML_RESPONSE {
# Handle the SAML response
set saml_response [SAML::response]
# Custom handling of the SAML response can be done here
SAML::response $saml_response
}when ACCESS_POLICY_COMPLETED {
if { [ACCESS::policy result] eq "allow" } {
# On successful SAML authentication, perform SSO to Citrix StoreFront
set username [ACCESS::session data get "session.logon.last.username"]
set password [ACCESS::session data get "session.logon.last.password"]# Perform SSO to Citrix StoreFront using the captured credentials
# This might involve crafting an HTTP POST to StoreFront with the credentials
# Example:
HTTP::request "POST /Citrix/StoreWeb/Authentication HTTP/1.1\r\nHost: storefront.example.com\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nusername=$username&password=$password"
}
} - Logon Page:
Why would SAML need the password?
As for the username you could add %{session.logon.last.username} as Saml attribute or even as Subject
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com