Forum Discussion
NimbostratusSAML SP Send Username to IDP
Hi,
I have a SAML setup in place, SPs and IDPs on the same BIG-IP :)
I have the challenge to chain two IDPs after each other from the SP. So if the user hits the service, the SP redirects the user to the first IDP (2-factor authentication with username and token), comes back to the SP and will be redirected to a second IDP (on the BIG-IP) where username and password will be checked against AD. The 2FA solution in place is not capable of authenticating username, password and token - only user and token... :/
All of this is working like charm - I just have one challenge:
If the user authenticates against the first IDP and comes back to the SP I want the second IDP to know the username already and pin the user to that username. So how can I populate from the SP (=BIG-IP) the username to the IDP (=BIG-IP)? Is there way? Maybe over the SP Post/Redirect to the IDP? Query parameters and iRule extraction to pre-fill the APM session variable for the username (https://devcentral.f5.com/questions/vpe-logon-page-how-to-set-correctly-username-and-domain-prior-to-call-the-ad-)?
Has anybody done this before?
Greetings, Eric
1 Reply
Henrik_SIf the second iDP is in fact the same BIG-IP as the SP, why can't you just use a logon page to gather the missing password and together with the username provided through assertion or artifact perform an auth against the correct backend?
If not, you would have to get the client to share some information in for example cookies between the SP and iDP instances to be able to track one user between the two, and to leverage the session or table command to push the username between the instances.
