Using SAML for login vs F5 Login Page, but need the password for SSO profiles

Hey Pushpendu, This is not possible the attribute "login.last.password" does not get populated when SAML is used as it does defeat the reason to use SAML auth.

The only way to accomplish this would be to use forms based via f5 page then add a SSO profile to each application in the portal passing the username and password for the different types of authentication required by the individual apps.

Hi Rusty,

Thank you for your prompt response. But cant we inject this using iRule as some other variable and use Variable assign to map to login.last.password? I know in NetScaler we can do a traffic policy and then a profile by creating an SSO expression to pass the credentials from SAML to the backend apps.

However, if this is something not allowed by APM then its a different story.

You can if you capture the password. If you do a saml redirect at login the user is actually logging into your IDP then redirecting back to the SP (F5) with a success token. The username and password never leave the IDP.

Pponte, I can see that working as long as your application trust the "token" provided by SAML to Kerberos. From what you listed you are saying once users pass SAML auth, allow them to access to applications if they are a member of, correct? This removes username/password from the equation but only works if your application will limit by group.

Hi,

You can try this code

when ACCESS_POLICY_COMPLETED {
        set username [ACCESS::session data get session.saml.last.identity]
        set password [b64decode [ACCESS::session data get session.saml.last.attr.name.password]]        
        ACCESS::session data set session.sso.token.last.username $username
        ACCESS::session data set -secure session.sso.token.last.password $password
}

Thanks Piron. Ran into the same issue but I got it working in another way. Here is what I did:

1. Changed the SAML attribute name from Password to some other - say example
2. Got rid of the iRule and instead put a variable assign where

session.sso.token.last.username is mapped to session.saml.last.identity session.sso.token.last.password is mapped to session.saml.last.attr.name.example (the password attribute)

1. Created a SSO NTLM method
2. Added the NTLM method in the SSO configuration of the SAML Profile that I have.

I tested it from standalone machine (not added to the domain) in FFX, Chrome and IE and it works as expected.

Will need to do some further tests and check if the behavior is per client's requirement and satisfaction.

I confirm variable assign may do the same as the irule I provided. (except SAML password is not base64 and you don't save password in a secure variable to prevent password included in logs)

variable assign is much better than irule when possible. But it is not recommended to provide password in SAML assertion.

Kerberos SSO is still the best solution when APM is SAML SP.

Hi Stan,

I totally agree with you. I am also against the idea of including passwords in SAML assertion as it defeats the purpose of federation as a whole.

Thanks for your help again, much appreciate.

you are working with NTLM authentication, so the server is a AD domain member... why aren't you trying Kerberos instead?

That is the next use case. This was a POC that for NTLM SSO.

Stan,

What is the correct syntax of the b64decode when I want to put it in the variable assign? Should I use the expr or return? Can you kindly suggest?

expr {b64decode {mcget [session.saml.last.attr.name.some_encoded_attr]}}  

OR

return {b64decode {mcget [session.saml.last.attr.name.some_encoded_attr]}}