Forum Discussion

hpr's avatar
hpr
Icon for Altostratus rankAltostratus
Jul 30, 2021

Howto extract SAML NameID from AuthnRequest

Hi Gurus,   I'm about to implement a SP-initiated SAML connection to our BigIP APM, set up as IdP, currently v15.1.2, eagerly awaiting some bug resolutions for the upgrade to 16.1.   I want to su...
application delivery
BIG-IP Access Policy Manager (APM)
iRules
saml
hpr's avatar
hpr
Icon for Altostratus rankAltostratus

>Are you sure, you can see email address in authrequest?

Affirm, SAML Tracer shows it - even twice. 🙂

> This would need to check first, how emailaddress is being sent (either any part of header, uri or payload) and write iRule to extract that, set custom session parameter with that and use in login page.

IMHO it's part of the payload:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
...snip...
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">myEMAILAddress@hereWhereIAm.ch</saml:NameID>
    </saml:Subject>
    <samlp:NameIDPolicy AllowCreate="true"
                        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
                        />
</samlp:AuthnRequest>

 But what I still am confused about: Am I really the first person on earth trying to omit that users have to enter redundant logon name twice? Simply can't imagine that this wheel isn't invented yet. 😏

spalande's avatar
spalande
Icon for Nacreous rankNacreous
Aug 04, 2021

Since SP and IDP sessions are totally diffrent and independent of each other, it would need custom rules built to extract the user. Not seen that's been implemented many places. We will keep the forum open for other to provide any inputs if there is any easy way to extract this.

 

On seperate note, how about modifying the page at the SP end to omit the field for user and just have sign in button, which will redirect the user to IDP and user would have to put it only once on IDP page? I know this isn't ideal option but just thinking out loud.

  • Peter_Baumann's avatar
    Peter_Baumann
    Icon for Cirrostratus rankCirrostratus
    Aug 05, 2021

    Hi SanjayP,

    I have an example for an SP, the Adobe Cloud.

    It is handled the same way as the Microsoft Auth Page, you need to first specify a NameID (first.last@domain.com) and then the Authenticator recognizes the @domain.com and is redirecting then to the IdP.

    Documentation from Adobe: https://helpx.adobe.com/enterprise/using/set-up-identity.html#set-up-directory

     

    So how is it supposed to work when we have a button on this logon page?

    So we have for every organization buttons on the logon page then?

    I think this will not scale.

     

    Do you understand now what hpr means?

    In this example:

    Open adobe.com logon page -> Enter first.last@domain.com -> Adobe does the redirect to the IdP for @domain.com.

     

    What you mean is the way it is done with OAuth 2.0/OIDC where the big players like google/github/twitter etc. have bnuttons for login.

    In SAML it is different solved, see the manual above from adobe.

     

    I hope this helps to enlighten the question above a little bit.

     

    Thanks,

    Peter