Forum Discussion
Rusty_M_140798
Nimbostratus
NimbostratusUsing SAML for login vs F5 Login Page, but need the password for SSO profiles
I have a scenario where we are using SAML as our first point vs a F5 login page, see APM policy below.
The way this works is the user is re-directed to our SAML provider for authentica...
Pushpendu_BiswaNimbostratus
NimbostratusHi Michael,
I have the same requirement. My IdP is on premise and I am able to send the password attribute in SAML assertion to F5 IdP but cant pass it to the backend app that requires NTLM/forms authentication. The question is how do I extract the password from the attribute and use it as session.logon.last.password? Tried to work with this iRule but didnt work.
when ACCESS_ACL_ALLOWED {
set username [ACCESS::session data get session.saml.last.identity]
set password [b64decode [ACCESS::session data get session.saml.last.attr.name.password]]
}
when ACCESS_SESSION_STARTED {
if { [ info exists username ] } {
ACCESS::session data set session.logon.last.username $username
}
if { [info exists password] } {
ACCESS::session data set secure session.logon.last.password $password
}
}
My policy looks like this:
Start --> SAML Auth --> SSO Credential Mapping.
Pushpendu_BiswaNimbostratus
NimbostratusHi Rusty,
Thank you for your prompt response. But cant we inject this using iRule as some other variable and use Variable assign to map to login.last.password? I know in NetScaler we can do a traffic policy and then a profile by creating an SSO expression to pass the credentials from SAML to the backend apps.
However, if this is something not allowed by APM then its a different story.