Forum Discussion
NimbostratusVPE logon page : how to set correctly USERNAME and DOMAIN prior to call the AD ...
Hello,
I do not find the variables to set in in entry of the VPE Active Directory auth server ...
I've tune a logon page with USERNAME set as toto@domain.com Then, when AD auth server it concatenates toto@domain.com with the domain set in the AD profile. Thus even if I check or uncheck the split domain !
If I set it as toto I gor a saml error (seems domain is not correctly set ...)
I saw a lot of things everywhere about this subject but can't manage to fix it .
Easy for you ?
Thanks all and have a good day
12 Replies
Stanislas_Piro2Cumulonimbus
Hi,
when logon page is defined with split domain enabled, variables will be :
-
toto@domain.com
- session.logon.last.logonname: toto@domain.com
- session.logon.last.username: toto
- session.logon.last.domain: domain.com
-
domain\toto
- session.logon.last.logonname: domain\toto
- session.logon.last.username: toto
- session.logon.last.domain: domain
AD Auth will authenticate user with variables:
- Username : session.logon.last.username
- Password : session.logon.last.password
if domain is not correctly set, you can assign variables after AD Authentication:
session.logon.last.domain = expr { [mcget {session.ad.last.actualdomain}]}-
toto@domain.com
Letendarthey ... it's getting better with the variables but I now get a problem with the SAML
means AD ans SSo are ok but the adfs request return an error
anyway thanks for your help !
- Stanislas_Piro2Was SAML working with another configuration?
- LetendartHello, see my comment in the attached file ... it was detected as spam :-)
- Letendartok I reformat my message and no more spam ... seems it was the hyphen
- Letendart
HI, Yes the SAML works when I don't try to change the value USERNAME of the logon page. If I fill the USERNAME value of the logon page with the information I catch in the URL (via an irule) then AD authent works but saml failed. I guess than, doing that (changing USERNAME value), I have also changed other requested values going to the saml : strange (for me) As a reminder I'm trying to implement the ADFS rule on the BIGIP-F5 It run well but the logon page is not pre-filled with the username value givin by the user when connecte to portal.office.com So I have set an irule which get the username and pre-fill the logon page But doing that saml no more run ! I'm not so long of the success but I'm blocked on this problem. cu
- Stanislas_Piro2If you want help, share the irule, the VPE screenshot and box properties (without information about your company).
- Letendart
Salut Stanislas, OK I finally found MY problem ... It was a bit stupid : to get a value Inside the uri I had changed the uri itself ! So and then when it goes to the adfs server, request has failed.
I corrected my error, remains me to be sure I'm using the correct variables : I'm using GLOBAL one,
that's good practice ?
}When HTTP_REQUEST { set namevals [split [HTTP::query] "&"] for {set i 0} {$i < [llength $namevals]} {incr i} { set params [split [lindex $namevals $i] "="] set pnum [expr $i+1] if { [lindex $params 0] contains "username" } { set static::tmp_username [string map -nocase {"%40domaine-test.com" ""} [URI::query [HTTP::uri] [lindex $params 0]]] } } } when ACCESS_POLICY_AGENT_EVENT { switch [ACCESS::policy agent_id] { "O365_USERNAME" { ACCESS::session data set session.custom.username $static::tmp_username } } - Stanislas_Piro2
Hi,
the use of static variable is wrong as static variables are shared between all virtual servers and connections.
try this irule doing the same:
when ACCESS_SESSION_STARTED { set uri [ACCESS::session data get session.server.landinguri] set query [URI::query $uri] set namevals [split $query "&"] for {set i 0} {$i < [llength $namevals]} {incr i} { set params [split [lindex $namevals $i] "="] set pnum [expr $i+1] if { [lindex $params 0] contains "username" } { ACCESS::session data set session.logon.last.samluser [string map -nocase {"%40domaine-test.com" ""} [URI::query $uri [lindex $params 0]]] } } }I checked it successfully:
sessiondump -allkeys e5b4ff31.session.logon.last.samluser 4 titi e5b4ff31.session.server.landinguri 38 /?terldfkndlfusernamefgjlhgdflkjg=titi - Stanislas_Piro2
The following irule may do the job as Office 365 request the username as parameter... there is no need to do the foreach loop:
when ACCESS_SESSION_STARTED { set uri [ACCESS::session data get session.server.landinguri] set username [URI::decode [URI::query $uri username]] if {$username ne ""} { ACCESS::session data set session.logon.last.samluser [getfield $username "@" 1] } } - Letendart
ouaou beautiful ... I'm trying all of this
- LetendartMerci Stanislas, it run perfectly with your last proposal, means :
}when ACCESS_SESSION_STARTED { set uri [ACCESS::session data get session.server.landinguri] set username [URI::decode [URI::query $uri username]] if {$username ne ""} { ACCESS::session data set session.logon.last.samluser [getfield $username "@" 1] }I just had to adapt for my precises concerns. Thanks a lot for your help, I'm now more at ease with the irules, variabl assigns and contexts ... cu
