Forum Discussion
Hi,
But if I am able to send the password as an encoded SAML attribute in the assertion, cant that be extracted using iRule, decoded and insert as a session.logon.last.password and mapped as an SSO credentials mapping attribute?
- Sep 14, 2017
Why use SAML if your backend already knows the username and the password........
- Pushpendu_BiswaSep 14, 2017Nimbostratus
The purpose is to use the F5 SP as the landing/gateway and use it as an auth broker as multiple backend applications with varying requirements - like OWA and custom IIS apps with NTLM. The F5 SP should be posting the creds to the backend app here with NTLM/forms auth. With the following iRule, I can get the user identity and any attribute in the SAML but not password. I wonder if F5 is stripping/blocking the key word "password" in the attribute or something is wrong with my b64decode.
Any help is highly appreciated.
====================================================================================
when ACCESS_ACL_ALLOWED { set username [ACCESS::session data get session.saml.last.identity] set password [b64decode [ACCESS::session data get session.saml.last.attr.name.password]] log local0. "Username -$username, Password - $password" } when ACCESS_SESSION_STARTED { if { [ info exists username ] } { ACCESS::session data set session.logon.last.username $username } if { [info exists password] } { ACCESS::session data set session.logon.last.password $password } }