Forum Discussion
hpr
Altostratus
AltostratusHowto extract SAML NameID from AuthnRequest
Hi Gurus, I'm about to implement a SP-initiated SAML connection to our BigIP APM, set up as IdP, currently v15.1.2, eagerly awaiting some bug resolutions for the upgrade to 16.1. I want to su...
spalande
Nacreous
Nacreoussorry for the lame question,but if F5 is acting as IDP, shouldn't it have access to nameID already? It will generate the SAML assertion after authentication with domain controller. on F5, we would have to set AD query to retrive attributes from AD and set nameID accordingly (e.g. email/UPN etc).
hprAltostratus
AltostratusYes and no, SanjayP - you are way further in the process than my question... :)
YES: It should know the NameID, but
NO: Not from the AD/LDAP-Lookup, but from the SAML Authnrequest.
Elaboration: My process is:
- User clicks on SP's login page on "authenticate with SAML" and is prompted to enter e.g. his email address
- SP decides to send an Authrequest to our f5, as this is our IdP. THIS CONTAINS THE NAMEID AND THE SUBCECT ATTRIBUTES. Both contain the user's email address
- WHAT I WANT TO DO NOW on the f5: Extract either of those Attributes, treat them (ie. cut the @domain part) and set session.last.username.
- Show a login window with just a password prompt (as we already know the user name).
- NOW do the LDAP authentication, LDAP lookup, and calculating the SAML Attributes for the SP. (Thats's where you think we are already - if I get your post correctly).
- Issue the SAML assertion for the User for connecting the SP.
- SP does - based on the provided SAML attributes - the authorization for his services and grants access accordingly.
So, my question goes to step 3, not to step 5 :)
Cheers,
HP.
