For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

gpracer69's avatar
gpracer69
Icon for Nimbostratus rankNimbostratus
Jan 18, 2017

Need help filling in the missing pieces for my SAML SP to LDAP Query scenario.

Let me start off by saying that I am pretty new to administering the F5 APM and F5 technology in general. With that being said here is what I'm trying to accomplish:

 

I am trying to set up a new external portal access. The way we would like this to work would be to have the F5 APM be set up as a SAML SP that authenticates against our corporate IdP with their AD credentials. The user would then be returned to a Dynamic Webtop displaying what the user has access to based on an LDAP query. Then to be able to use SSO to allow the users access to those resources. I have most of it setup already, but I believe I am having an issue with passing the username over to the LDAP Query in the correct format. Here is how my access policy looks so far:

 

 

I believe I need a Variable Assign after SAML Auth splitting the domain from the username. The format for the logon is Domain\Username. That should work as we purposefully have our AD usernames and LDAP usernames in the same format. I'm just not sure what the Variable Assign should contain. I believe it should be pulling from "session.saml.last.identity" to get the username information, but how do I get it to split the domain from the username.

 

I am also not sure if the SSO Credential Mappings item is correct. It is currently set up for the SSO Token Username is set to Username from Logon Page, but I'm not sure what the custom attribute should be.

 

If someone could please help me out filling in the missing pieces here and maybe show me some examples, I would appreciate it.

 

Thanks,

 

BIG-IP Access Policy Manager (APM)
security

3 Replies

  • Jad_Tabbara__J1's avatar
    Jad_Tabbara__J1
    Icon for Cirrostratus rankCirrostratus
    Jan 19, 2017

    Hello,

    You will need first to retrieve SAML attributes after the SAML Auth.

    Just add a "Variable Assign" block with following information :

    session.logon.last.identity = Session Variable session.saml.last.attr.name.identity

    Then you must format the variable by splitting it. You can either do it using an "irule event" or directly within the VPE using TCL.

    From the VPE : add a new entry to your variable assign block with the following custom expression

    set identity  [mcget {session.logon.last.identity}]
set table [split $identity \]
return [lindex $table 1]

    The returned value will be the username from "domain\username". Assign this returned value to variable "session.logon.last.username" that you will use after to make the LDAP Query.

    The SSO Cred. Mapping, will set following SSO variables session.sso.token.last.username and session.sso.token.last.password. These variables are used in the SSO Objects if used... You need to set them with the correct values in order to authenticate on load-balanced server.

    Hope that it helps

    Regards

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Apr 27, 2017

    Hi,

    In my ADFS / F5 APM configuration, I use User-Principal-Name LDAP attribute for Name ID outgoing claim.

    Then, in LDAP (or AD) Query, use the following filter :

    (userPrincipalName=%{session.saml.last.identity})

    You can then assign 

    session.ad.last.attr.sAMAccountName
    to 
    session.logon.last.username
    and
    session.logon.last.logonname