Forum Discussion

dp_119903's avatar
dp_119903
Icon for Cirrostratus rankCirrostratus
Oct 05, 2015

Multiple SSO Methods - or a better way to fill in a form?

I have an access policy that I'm using NTLM SSO on. I have users from multiple domains authenticating and accessing a sharepoint site. My access policy is pretty simple. I have a decision tree (asking which domain they are a member of) and then when they select domain1 it takes them to a logon page that has AD auth to domain1 with SSO credential mapping aftewards to get the NTLM to work. If they select domain2 it takes them to a logon page that has AD auth to domain2 with SSO credential mapping aftewards to get the NTLM to work. And this works great.

 

Now, we have a need to offer some additional multi-factor authentication methods. Initially I wanted to do the initial authentication via the APM, however for security reasons it has been determined that it would be preferred if we could use our existing external IDP to do this. I went ahead and added a SAML auth after the SSO credential mapping so that we could use our external IDP (plus i already had SAML setup for this as originally we were going to use SAML auth and then kerberos SSO...but I had to scrap that b/c of issues with the multiple domains and some security concerns about the trust that was required to make kerberos work).

 

And it works well.

 

I put the webpage into a browser, I get directed to the f5 login page, I select my domain, I authenticate and then it takes me to the external IDP. I logon there and do the additional authentication and then get redirected back to the sharepoint site and everything works. The only thing I would like to change is since the user is putting their username and password in the initial logon page I'd like to make it so when they hit that external IDP that the username and password is populated into the web page. There's no reason to make them login with the same credentials twice. I believe that this is possible using SSO form (though I haven't been able to make that work) but the bigger issue here is that I believe I can only have one SSO method. So right now I have NTLMv2, and even if I could get the forms thing to work it would mean that then my users would get the pesky windows security prompt (since I would no longer have the NTLM SSO).

 

So my simple question is this. Is there a way, within an access policy to fill in an external login page (irule maybe) other than changing the SSO method (since I need the SSO method to be NTLMv2)?

 

Thanks!

 

  • That's absolutely correct. Since you're client is directly accessing an external resource, you can't auto-submit credentials to that site. The better option, if the external IdP can do it, is to have it encrypt the client's credentials back into the assertion. Or better enable artifact mode so that these credentials aren't in the client's data path. Otherwise you might have to re-investigate using Kerberos if you don't have a password.

     

  • Is it possible to just use the external IdP as the single source of login data and then send the password as an attribute back to F5 for SSO purposes?

     

  • after thinking about this more I don't think this is possible. The user is redirected to the external logon page (IDP)...and that process doesn't go through the F5 so how would the F5 plug in the username/password field? I guess I can chalk this up to not possible.