Forum Discussion
Howto extract SAML NameID from AuthnRequest
sorry for the lame question,but if F5 is acting as IDP, shouldn't it have access to nameID already? It will generate the SAML assertion after authentication with domain controller. on F5, we would have to set AD query to retrive attributes from AD and set nameID accordingly (e.g. email/UPN etc).
Yes and no, SanjayP - you are way further in the process than my question... :)
YES: It should know the NameID, but
NO: Not from the AD/LDAP-Lookup, but from the SAML Authnrequest.
Elaboration: My process is:
- User clicks on SP's login page on "authenticate with SAML" and is prompted to enter e.g. his email address
- SP decides to send an Authrequest to our f5, as this is our IdP. THIS CONTAINS THE NAMEID AND THE SUBCECT ATTRIBUTES. Both contain the user's email address
- WHAT I WANT TO DO NOW on the f5: Extract either of those Attributes, treat them (ie. cut the @domain part) and set session.last.username.
- Show a login window with just a password prompt (as we already know the user name).
- NOW do the LDAP authentication, LDAP lookup, and calculating the SAML Attributes for the SP. (Thats's where you think we are already - if I get your post correctly).
- Issue the SAML assertion for the User for connecting the SP.
- SP does - based on the provided SAML attributes - the authorization for his services and grants access accordingly.
So, my question goes to step 3, not to step 5 :)
Cheers,
HP.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com