Forum Discussion
Rusty_M_140798
Nimbostratus
NimbostratusUsing SAML for login vs F5 Login Page, but need the password for SSO profiles
I have a scenario where we are using SAML as our first point vs a F5 login page, see APM policy below.
The way this works is the user is re-directed to our SAML provider for authentica...
Pushpendu_BiswaNimbostratus
NimbostratusHi Michael,
I have the same requirement. My IdP is on premise and I am able to send the password attribute in SAML assertion to F5 IdP but cant pass it to the backend app that requires NTLM/forms authentication. The question is how do I extract the password from the attribute and use it as session.logon.last.password? Tried to work with this iRule but didnt work.
when ACCESS_ACL_ALLOWED {
set username [ACCESS::session data get session.saml.last.identity]
set password [b64decode [ACCESS::session data get session.saml.last.attr.name.password]]
}
when ACCESS_SESSION_STARTED {
if { [ info exists username ] } {
ACCESS::session data set session.logon.last.username $username
}
if { [info exists password] } {
ACCESS::session data set secure session.logon.last.password $password
}
}
My policy looks like this:
Start --> SAML Auth --> SSO Credential Mapping.
Rusty_M_140798Nimbostratus
NimbostratusYou can if you capture the password. If you do a saml redirect at login the user is actually logging into your IDP then redirecting back to the SP (F5) with a success token. The username and password never leave the IDP.
Pponte, I can see that working as long as your application trust the "token" provided by SAML to Kerberos. From what you listed you are saying once users pass SAML auth, allow them to access to applications if they are a member of, correct? This removes username/password from the equation but only works if your application will limit by group.