Forum Discussion
ADFS Proxy without password
Hello!
When a SP-initiated federation is initiated and the user gets to BIGIP APM you normally use a Logon page and send their credentails to ADFS with a "forms client initiated SSO".
But imagine a scenario when your users is authenticated through a "SAML Auth", BIGIP only has access to their username. When BIGIP tries to pass credentails with forms client initiated sso this fails because BIGIP is unaware of the password and therefore redirected to ADFS Form-based login page.
Is there any workaround for this ? One workaround is to throw up a logon page after a successfull saml auth but I need a passwordless logon for my purposes.
Regards,
Johan
6 Replies
- レザ
Cirrus
Hi Daniel_Wolf
The problem was solved by doing down/up pool members. I am using least sessions load balancing algorithm for this pool and also i'm not using OneConnect on this virtual server.
- PSFletchTheTek
Cumulonimbus
Daniel_Wolf has a fair point to consider here,
API's dont normally use cookies for persistance. If this is your heavily loads your experiencing down/up pool members just means you have fixed the problem for now by resetting everything as shortly you'll be in the same position as you were previously just on a different server.If your application only ever keeps one connection open or is always from one IP persistance will lock that user to one location and wont release it until the connection times out. A company of many users behind a NAT/Proxy normally cause this issue. I know this is the advantage of cookie persistance, but API client don't normally use this.
How are you managing internal and external comms? One VS for each or a VS for external and internal?
Potentially you could put them onto different Virtual servers to try to put different persistance on each config. Maybe even check that youir fallback persistence profile is also set so if cookies aren't set you still have something.
Load Balancing is on the pool config so i think i'd leave that alone, i'd also keep away from having more than one pool with the same pool members in it otherwise you wont see the total picture.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com