Forum Discussion

FI_2016_187929's avatar
FI_2016_187929
Icon for Nimbostratus rankNimbostratus
Mar 06, 2015

SAML SSO Using Logged In Windows Credentials

Trying to configure our F5 hosted IdP to authenticate clients using their logged in Windows credentials. The SP is an external vendor, we do not need to use Kerberos to authenticate to the applicati...
BIG-IP Access Policy Manager (APM)
saml
security
SSO
FI_2016_187929's avatar
FI_2016_187929
Icon for Nimbostratus rankNimbostratus
Mar 12, 2015

Thank you everyone for your help. We now have IdP initiated working. The basic configuration was there, I needed to remove the SSO Credential Mapping and I also had the incorrect SSO Configuration associated with the Access Policy. However the SP initiated is not working correctly. When accessing the SP initiated URL in Internet Explorer, the client is redirected to the IdP and is then prompted for Windows security credentials. The 401 Response appears to be working because the logs show the varible is set Session variable 'session.logon.last.username' set to 'username@domain.com'. If the client cancels the Windows credentials prompt, they are prompted by a Windows download dialog asking if they want to Open or save sso from idp.domain.com. If they then reenter the SP URL in the browser again, they get successful access to the site using SAML SSO.

 

If they try to access the site in Chrome they get the following The webpage at https://idp.domain.com/saml/idp/profile/redirectorpost/sso might be temporarily down or it may have moved permanently to a new web address. Again, the logs show the username variable being set and successful sent through Access Policy. It seems there is some issue accessing the saml/idp/profile/redirectorpost/sso site.

 

Would there be any issues using Kerberos with SP initiated access?

 

  • InnO's avatar
    InnO
    Icon for Nimbostratus rankNimbostratus
    Jun 15, 2015
    Hi, I have kind of same problem here with the same policy. Any time the connection is SP-initiated, I get prompted for credentials any time the POST to /saml/idp/profile/redirectorpost/sso happens. Same policy but IdP-initiated works perfectly.
  • Evan_Champion_1's avatar
    Evan_Champion_1
    Icon for Cirrus rankCirrus
    Dec 30, 2015
    I had the same problem where POST to /saml/idp/profile/redirectorpost/sso returns 401. I resolved this by changing IdP connector to Single Sign On Service Binding = Redirect.
  • Evan_Champion_1's avatar
    Evan_Champion_1
    Icon for Cirrus rankCirrus
    Jan 04, 2016
    Once you get this part working unfortunately you will find there is an issue with Kerberos authentication on F5 where initial authentication will work transparently as expected, but following session expiry the user will be prompted for credentials. See: https://devcentral.f5.com/s/feed/0D51T00006i7cUJSAY. Please open a support case with F5 to raise the priority of this issue.