I am trying to use NTLM pre-authentication for SAML assertions. To conceptualize: use external logon page in F5 that points to a web service instead of a formthe web service authenticates pass through for NTLM based clients and challenges other browsers/non windows domain joined systems for credentialsthe web service does a redirect post back to the virtual server/my.policy with specific parameters (i.e. username and dummy password and specific flag stating user x is authenticated)capture the custom session variables i manage the APM session and assign resources as required. Is this possible? I'm getting close to getting this to work but I need to get the HTTP respond location working as I want it.

That should in fact work. Assuming you can get the external logon page stuff to work (rarely an easy thing), the only thing the APM IdP needs to send a valid assertion is the session variable that you've specified as the "Assertion Subject Value". So you could technically take the returned username and assign that to the required session variable, and assuming the SP accepts both the assertion and the ID value, you should be good to go. It'd then go something like this (IdP-initiated approach): User goes to APM IdP which then redirects to the external logon pageUser authenticates to external logon page via NTLM and is redirected back to APM IdP /my.policy URI with the username and (dummy) POST valuesAPM IdP assigns the returned username to the assertion subject value session variableAPM IdP access policy falls into the resource assignment agent, which specifies an external SP connector, and then redirects the user to the SP with a SAML assertion.Bam, you're in.

This is working and in production, it passes back to the F5 a randomized 128bit encrypted string which the F5 decodes using CRYPTO:: methods; it provides a seamless experience and requires the users never to need to login :) It also has basic authentication failback for non-domain joined systems or Mac clients. I'd be happy to share the entire solution as a devcentral article with the .NET ASP solution and the F5 bits if this is possible :)

http://schoombee.wordpress.com/2014/02/15/ntlm-saml-bridge-with-f5-access-policy-manager/

Rabbit23 - I read over your solution that you posted on wordpress, but am a bit confused at the workflow. If I understood it correctly, you've setup an IIS site that will authenticate the user via NTLM and then will send an "assertion" to the APM, which will have to verify it via the symmetric encryption key that is set and allow user to proceed if the verification is successful. If I understood that right, is there a reason why you are not just using NTLM authentication on the BIG-IP itself to achieve the same?

Forum Discussion

Rabbit23_116296

Nimbostratus

Jan 23, 2014

SSO options - NTLM integrated SAML assertions

I am trying to use NTLM pre-authentication for SAML assertions. To conceptualize:

use external logon page in F5 that points to a web service instead of a form
the web service authenticates pass through for NTLM based clients and challenges other browsers/non windows domain joined systems for credentials
the web service does a redirect post back to the virtual server/my.policy with specific parameters (i.e. username and dummy password and specific flag stating user x is authenticated)
capture the custom session variables i manage the APM session and assign resources as required.

Is this possible? I'm getting close to getting this to work but I need to get the HTTP respond location working as I want it.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)