For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dp_119903's avatar
dp_119903
Icon for Cirrostratus rankCirrostratus
Sep 15, 2015

Non local kerberos realm

I have kerberos for server-side (SSO) working just fine.   My kerberos sso config looks like this: username source: session.sso.token.last.username username realm source: session.logon.last.domain...
BIG-IP Access Policy Manager (APM)
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Oct 01, 2015

Let's step back a bit. We know that if you very simply do a variable assignment in the visual policy with the correctly formatted names then it works. So the goal should be to take whatever subject value is coming from the SAML assertion and assign that, formatted as required, into the session variables needed for Kerberos SSO. If you're using sAMAccountName and correct domain in the working policy, then that's what you need to convert the SAML subject to. If you can derive any of that information directly from the SAML assertion, great. Otherwise you may need to do a quick AD or LDAP query to get the sAMAccountName of the user.