Sharing User Credentials Between SAML IDP and SP Policies in F5 APM

 

Use Case

In an F5 Access Policy Manager (APM) deployment with one Identity Provider (IDP) and multiple Service Providers (SPs), it’s often necessary for an SP policy to access user credentials (e.g., for NTLM, form-based auth, RDP, etc.) to enable seamless SSO. While SAML provides identity federation, it does not include password transfer, which complicates scenarios that require credentials at the SP side.

This article presents a solution to securely share the user password between the IDP and SP policies.

 

Problem Statement

The SP policy already receives the user identity via the Subject of the SAML assertion. The challenge is how to securely pass the user password from the IDP policy to the SP policy — since session.logon.last.password is not directly usable for custom logic.

 

Solution Overview

We’ll implement a secure mechanism to:

  • Capture the user password at the IDP side
  • Store it in a custom session variable
  • Share the IDP session ID with the SP via SAML attribute
  • Retrieve the password at the SP side using that session ID

We’ll use iRules and Access Policy Events to facilitate this flow.

 

Step-by-Step Implementation

1.  On the IDP Policy

  • Create a custom session variable (e.g., session.custom.password) and assign it the value of session.logon.last.password.
  • Do not mark it as "Secure" in the Variable Assign agent, as this would double-encrypt the password (it's already encrypted by default).

 

2.  Share the IDP Session ID with SP

To allow the SP policy to reference the original session, we expose the IDP session ID using an iRule event:

Access Policy Agent Event in the IDP Policy:

 

  • Assign this iRule to the IDP Virtual Server.
when ACCESS_POLICY_AGENT_EVENT {
    switch [ACCESS::policy agent_id] {
        "GetSessionID" {
            set sid [ACCESS::session sid]
            ACCESS::session data set session.custom.sid $sid
            # log local0. "$sid"
        }
    }
}

 

  • Include the session.custom.sid in the SAML assertion as an attribute (e.g., Session_ID).

 

Final IDP Policy

 

3.  On the SP Policy

At this point, the SP has access to the IDP session ID via the SAML attribute (e.g., session.saml.last.attr.name.Session_ID).

 

Now, we can use that ID to fetch the password from the original IDP session:

Access Policy Agent Event in the SP Policy:

Assign this iRule to the SP Virtual Server.

when ACCESS_POLICY_AGENT_EVENT {
    switch [ACCESS::policy agent_id] {
        "GetPassFromIdp" {
            if {[catch {
                ACCESS::session data set session.custom.password [ACCESS::session data get -sid [ACCESS::session data get "session.saml.last.attr.name.Session_ID"] -secure "session.custom.password"]
            }]} {
                log local0. "ERROR: Session_id: [ACCESS::session sid] - no custom.password set"
            }
        }
    }
}

 

  • Now session.custom.password is available in the SP session and can be used in SSO Credential Mapping.

 

Note: In this example, we assume the SAML assertion Subject contains sAMAccountName and it’s used directly for credential mapping.

 

Final SP Policy

 

Additional Notes

This approach assumes familiarity with:

  • SAML federation concepts
  • F5 APM Visual Policy Editor (VPE)
  • iRules and custom session variable usage
  • SSO credential mapping

It avoids transmitting the password as a SAML attribute and leverages internal session sharing between policies to maintain confidentiality.

Published Apr 06, 2025
Version 1.0
APM
saml
SSO
No CommentsBe the first to comment