Forum Discussion
SAML: APM as Service Provider (SP) role - is it possible to do SSO credential mapping to the backend server?
Hi,
But if I am able to send the password as an encoded SAML attribute in the assertion, cant that be extracted using iRule, decoded and insert as a session.logon.last.password and mapped as an SSO credentials mapping attribute?
- Sep 14, 2017
Why use SAML if your backend already knows the username and the password........
- Pushpendu_BiswaSep 14, 2017Nimbostratus
The purpose is to use the F5 SP as the landing/gateway and use it as an auth broker as multiple backend applications with varying requirements - like OWA and custom IIS apps with NTLM. The F5 SP should be posting the creds to the backend app here with NTLM/forms auth. With the following iRule, I can get the user identity and any attribute in the SAML but not password. I wonder if F5 is stripping/blocking the key word "password" in the attribute or something is wrong with my b64decode.
Any help is highly appreciated.
====================================================================================
when ACCESS_ACL_ALLOWED { set username [ACCESS::session data get session.saml.last.identity] set password [b64decode [ACCESS::session data get session.saml.last.attr.name.password]] log local0. "Username -$username, Password - $password" } when ACCESS_SESSION_STARTED { if { [ info exists username ] } { ACCESS::session data set session.logon.last.username $username } if { [info exists password] } { ACCESS::session data set session.logon.last.password $password } }
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com