Forum Discussion
AltostratusHowto extract SAML NameID from AuthnRequest
Altostratus>Are you sure, you can see email address in authrequest?
Affirm, SAML Tracer shows it - even twice. 🙂
> This would need to check first, how emailaddress is being sent (either any part of header, uri or payload) and write iRule to extract that, set custom session parameter with that and use in login page.
IMHO it's part of the payload:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
...snip...
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">myEMAILAddress@hereWhereIAm.ch</saml:NameID>
</saml:Subject>
<samlp:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
/>
</samlp:AuthnRequest>But what I still am confused about: Am I really the first person on earth trying to omit that users have to enter redundant logon name twice? Simply can't imagine that this wheel isn't invented yet. 😏
NacreousSince SP and IDP sessions are totally diffrent and independent of each other, it would need custom rules built to extract the user. Not seen that's been implemented many places. We will keep the forum open for other to provide any inputs if there is any easy way to extract this.
On seperate note, how about modifying the page at the SP end to omit the field for user and just have sign in button, which will redirect the user to IDP and user would have to put it only once on IDP page? I know this isn't ideal option but just thinking out loud.
