Forum Discussion
EmBee_57573
Nimbostratus
NimbostratusSAML: APM as Service Provider (SP) role - is it possible to do SSO credential mapping to the backend server?
Hi I would like to setup the APM as Service Provider, having an external IdP.
What I would like to do is pass the SAML token I receive, on to the backend server. The reason is that the SharePoint ser...
Pushpendu_BiswaNimbostratus
NimbostratusHi,
But if I am able to send the password as an encoded SAML attribute in the assertion, cant that be extracted using iRule, decoded and insert as a session.logon.last.password and mapped as an SSO credentials mapping attribute?
Pushpendu_BiswaNimbostratus
NimbostratusThe purpose is to use the F5 SP as the landing/gateway and use it as an auth broker as multiple backend applications with varying requirements - like OWA and custom IIS apps with NTLM. The F5 SP should be posting the creds to the backend app here with NTLM/forms auth. With the following iRule, I can get the user identity and any attribute in the SAML but not password. I wonder if F5 is stripping/blocking the key word "password" in the attribute or something is wrong with my b64decode.
Any help is highly appreciated.
====================================================================================
when ACCESS_ACL_ALLOWED {
set username [ACCESS::session data get session.saml.last.identity]
set password [b64decode [ACCESS::session data get session.saml.last.attr.name.password]]
log local0. "Username -$username, Password - $password"
}
when ACCESS_SESSION_STARTED {
if { [ info exists username ] } {
ACCESS::session data set session.logon.last.username $username
}
if { [info exists password] } {
ACCESS::session data set session.logon.last.password $password
}
}