Bypass Azure Login Page by adding a login hint in the SAML Request
Problem this snippet solves:
Enhance the login experience between F5 (SAML SP) and Azure (SAML IDP) by injecting the "email address" as a login hint on behalf of the user.
This enhances the user experience because it allows to bypass the Azure Login Page and avoids the user to type two times his login/email address.
Example of use
Your application need to be accessed by both "domain users" and "federated users".
Your application is protected by the F5 APM with a "Login Page" that asks for the user "email address". Based on the "email address" value you determine the domain:
- if the user is a "domain user", you authenticate him on the local directory (AD Auth, LDAP Auth or ...)
- if the user is a "federated user" (such as xxx@gmail.com), you send him to the Azure IDP that will manage all federated access
This snippet is particularly interesting for the "federated user" scenario because:
- without this code, a "federated user" will need to type his "login" twice. First time on "F5 Login Page" and the second time on "Azure Login Page"
- with this code, a "federated user" will need to type his "login" only on the F5 Login Page
How to use this snippet:
- Go to "Access > Federation > SAML Service Provider > External IDP Connectors" and edit the "External IdP Connectors" object that match with the Azure IDP app.
- On the "Single Sign On Service Settings" add at the end of the "Single Sign On Service URL" the following string "?login_hint=" as shown in the picture below.
The string "?login_hint=" is added here only to be able to uniquely identify it later by the iRule and replaced it.
3. Finally, apply the iRule below on the VS that has the Access Policy enabled and for which the SAML SP role is attributed and is binded to the Azure IDP application. The iRule will simply catch the "Single Sign On Service URL" and replace it with "?login_hint=xxxx@gmail.com".
Code :
when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } when HTTP_RESPONSE_RELEASE { if { [string tolower [HTTP::header value "Location"]] contains "/saml2/?login_hint="} { set user_login [ACCESS::session data get "session.logon.last.mail"] #log local0. "Before adding the hint [HTTP::header value "Location"]" set locationWithoutHint "?login_hint=" set locationWithHint "?login_hint=$user_login" HTTP::header replace Location [string map -nocase "${locationWithoutHint} ${locationWithHint}" [HTTP::header Location]] #log local0. "After adding the hint [HTTP::header value "Location"]" } }
Tested this on version:
No Version Found