BIG-IP iRulesLX FakeADFS - WS-Federation/SAML11

Details
This was created as a solution to REPLACE the need for AD FS to tie APM into SharePoint. The goal was originally to demonstrate the flexibility of iRulesLX and also to find a way to add WS-Federation support very quickly. This solution is currently SP initiated, but wouldn't take much to handle IdP initiated as well.

An example of the process flow is detailed in the following image.

All that's needed for this solution is to create or import the iRulesLX workspace, configure SharePoint as if you are connecting to AD FS as a trusted Identity Provider, but point to a virtual server on the BIG-IP.

Instructions

First, ensure that you have a certificate / key for the IDP, as well as the CA Chain/Root CA. These do not have to be from the same domain CA that SharePoint lives on, if it exists. We are going to add these to SharePoint as trusted.

On one of the SharePoint servers, open the SharePoint Management Powershell, issue the following.

To import the Trusted Root CA, that issued the signing cert:

$root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("")

New-SPTrustedRootAuthority -Name "Token Signing Cert Parent" -Certificate $root

To import the Trusted Certificate

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("")

Next, create the Claim mappings for SharePoint:

$emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress  
" -IncomingClaimTypeDisplayName "EmailAddress" –SameAsIncoming

$upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn  
" -IncomingClaimTypeDisplayName "UPN" –SameAsIncoming

$roleClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role  
" -IncomingClaimTypeDisplayName "Role" –SameAsIncoming

$sidClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid  
" -IncomingClaimTypeDisplayName "SID" –SameAsIncoming

Note: Additional claim options here.

Next, create the Trusted Identity Provider.

$realm = "urn:sharepoint:"

$signInURL = "https:///adfs/ls"

$ap = New-SPTrustedIdentityTokenIssuer -Name (ProviderName) -Description (ProviderDescription) -realm  
$realm -ImportTrustCertificate $cert -ClaimsMappings $emailClaimMap,$upnClaimMap,$roleClaimMap,$sidClaimMap  
-SignInUrl $signInURL -IdentifierClaim $emailClaimmap.InputClaimType

To Associate a SharePoint Web Application with the new Identity Provider.

To configure an existing web application to use the FakeADFS identity provider
Verify that the user account that is performing this procedure is a member of the Farm Administrators SharePoint group.

In Central Administration, on the home page, click Application Management.
On the Application Management page, in the Web Applications section, click Manage web applications.
Click the appropriate web application.
From the ribbon, click Authentication Providers.
Under Zone, click the name of the zone. For example, Default.
On the Edit Authentication page in the Claims Authentication Types section, select Trusted Identity provider, and then click the name of your SAML provider (<ProviderName> from the New-SPTrustedIdentityTokenIssuer command). Click OK.

Next, you must enable SSL for this web application. You can do this by adding an alternate access mapping for the “https://” version of the web application’s URL and then configuring the web site in the Internet Information Services (IIS) Manager console for an HTTPS binding.

APM Policy Flow

The current workflow works as follows:
1. A user opens a link to SharePoint.
2. SharePoint presents Authentication options for the WebApp.

3. A user selects Authentication Source (FakeADFS), enters credentials, which then redirects the user to Virtual Server configured with FakeADFS iRulesLX solution.
4. FakeADFS Generates a SAML11 assertion, then wraps it in the WS-Federation elements.

<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">  
<t:Lifetime>  
  <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2016-12-20T13:56:01.349Z</wsu:Created>  
  <wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2016-12-20T14:56:01.349Z</wsu:Expires>  
</t:Lifetime>  
 <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">  
  <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">  
  <wsa:Address>urn:sharepoint:f5test</wsa:Address>  
  </wsa:EndpointReference>  
</wsp:AppliesTo>  
<t:RequestedSecurityToken>  
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1"   
AssertionID="_8Ed1lOeqLhnGTETTOn9BHJn72TZ8lE25" IssueInstant="2016-12-20T13:56:01.363Z" Issuer="http://fakeadfs.f5ttest.com/adfs/services/trust">  
<saml:Conditions NotBefore="2016-12-20T13:56:01.363Z" NotOnOrAfter="2016-12-20T14:56:01.363Z">  
  <saml:AudienceRestrictionCondition>  
  <saml:Audience>urn:sharepoint:f5test</saml:Audience>  
  </saml:AudienceRestrictionCondition>  
</saml:Conditions>  
<saml:AttributeStatement>  
<saml:Subject>  
<saml:SubjectConfirmation>  
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>  
</saml:SubjectConfirmation>  
</saml:Subject>  
<saml:Attribute AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims" AttributeName="emailaddress">  
<saml:AttributeValue>flip@f5test.com</saml:AttributeValue>  
</saml:Attribute>  
<saml:Attribute AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims" AttributeName="upn">  
<saml:AttributeValue>0867530901@f5test.com</saml:AttributeValue>  
</saml:Attribute>  
</saml:AttributeStatement>  
<saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="2016-12-20T14:56:01.363Z">  
<saml:Subject>  
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>  
</saml:SubjectConfirmation>  
</saml:Subject>  
</saml:AuthenticationStatement>  
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">  
<SignedInfo>  
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>  
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>  
<Reference URI="#_8Ed1lOeqLhnGTETTOn9BHJn72TZ8lE25">  
<Transforms>  
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>  
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>  
</Transforms>  
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>  
<DigestValue>fqLP9yVFDNveaOWwyEVl2Bc9M6bEzKb7KMZ2x33VgUc=</DigestValue>  
</Reference>  
</SignedInfo>  
<SignatureValue>tSLsHUu5m1Mc7qNmdfa5daEK2+noAgbuZ5faGaXQw7qCPEvNihXFUjGuwT4qgeIWFsiFcinin  
6Q42DwjRZBL1jcYpAYxP3WQFc+JvRlOaaWecklLmlLGBp9qjyzNzNhgT374T1YkgWJLTm4Jky7bW6HAMWJzT2vCpbSWLbtU=</SignatureValue>  
<KeyInfo>  
<X509Data>  
<X509Certificate>MIIGgjCCBGqgAwIBAgITFQAAAAVVlNqAr99awAAAAAAABTANBgkqhkiG9w0BAQsFADBJMRMwEQYKCZImiZ  
PyLGQBGRYDY29tMRUwEwYKCZImiZPyLGQBGRZjVsYWIxGzAZBgNVBAMTEkY1IExhYiBDQSAoMksxNlIyKTAeFw0xNjEyMTYxN  
TE1MjNaFw0xODEyMTYxNTE1MjNaMG8xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJQQTEUMBIGA1UEBxMLRG93bmluZ3Rvd24xDzAN  
BgNVBAoTBkY1IExhYjEPMA0GA1UECxMGRjUgTGFiMRswGQYDVQQDExJmYWtlYWRmcy5mNWxhYi5jb20wgZ8wDQYJKoZIhvcNAQE  
BBQADgY0AMIGJAoGBALgtr7ROiet3GPUg0yWa2dGPoirQ9dI8XiA7BsUwjTUG5yhAysKm0ZsCstKN92a2e8HxoHxiEZL39XzTxg  
5+3fY4A8hWttlqkKoWutnUS3GpPhfoVdufr8bTcr/vhLPCkuy9GsiDqAMwuiX/B3r0EHqFk3utfL3KDxZ5V94ArwqJAgMBAAGjg  
gK/MIICuzAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0AwwCgYIKwYBBQUHAwEweAYJKoZIhvcNAQkPBGswaTAOBggqhkiG9w0DAgIC  
AIAwDgYIKoZIhvcNAwQCAgCAMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAS0wCwYJYIZIAWUDBAECMAsGCWCGSAFlAwQBBTAHBgU  
rDgMCBzAKBggqhkiG9w0DBzAdBgNVHQ4EFgQUL8AJuPouaekEIK8JuQAthnBS8wHwYDVR0jBBgwFoAUeyV8LWPBfaUCaLG/UR  
cYpOrjK48wgeMGA1UdHwSB2zCB2DCB1aCB0qCBz4aBzGxkYXA6Ly8vQ049RjUlMjBMYWIlMjBDQSUyMCEwMDI4MksxNlIyITAwM  
jksQ049V0lOMksxMlIyREMwMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZp  
Z3VyYXRpb24sREM9ZjVsYWrIsREM9Y29tP2NlcnRpZmljYXRl2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN  
0cmlidXRpb25Qb2ludDCB0AYIKwYBBQUHAQEEgcMwgcAwgb0GCCsGAQxUFBzAChoGwbGRhcDovLy9DTj1GNSUyMExhYiUyMENBJT  
IwITAwMjgySzE2UjIhMDAyOSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlnd  
XJhdGlvbixEQz1mNWxhYixEQz1jb20/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3Jp  
dHkwIQYJKwYBBAGCNxQCBBQeEgBXAGUAYgBTAGUAcgB2AGUAcjANBgkqhkiG9w0BAQsFAAOCAgEAdom2Hvlw9MTKZbr6Ic3MLDR  
I10QGnflAq9w0/t6H8HN1jnEW8RTikIEpp2nOK7GknFq2161mJ4l5cRGroCyWsHN8to6VqhxqnESYHRyxwZDpS6a8JO4AYc111G  
fRWpB4nOIqs86aboUJDU+vRzrJHeuI1NzsI502i7fjlYqQVtE3FO2VIbekqx9zjHnliAX6l+VbDMFX8P8lP40U9rAIzHUPF+j3p  
34i+4tPtv1/bwTco2EZE8hy2XvJ4xHXzpXYytchRhv+8glYNKK229vhML0micJfnCJQ3xaiJ2e08/GSVoBF9x4J+z4V+XS9aZSn  
P2+N3tZESVVBA8U4kk9u6syfmDc4+ryoIw5XGcBIyitaH7FbKbYyUHY0XuWPHx6FOWWnCe2kIA/Zfs9IDCP/z07egIJabLymLC  
vRhOMyd1s5lajnTFfoFaDd7LlL1ipz94OdhxJ5/Aga7sTEtFPbjnfcSZ8lFglQUOkaKuZt6D/LQ/TW6TyDqPC3RDCoaqkY4MXgnm  
P0dUk9ql1y2qFU2l692ZDZQPB4Tiaa3yXDKwDwCWITQ0YBvIiCcSWoMKXXea96Q2lB3R9n7v9Y6I7eSniZjGqlYYQ3Bdi3FMVz+  
HGPeMOFq6HbzgnNtjFKwjqokUbwpwA7vZOQmFwEahEEaCPTpK25h4LSpLPtYa3fjfQ=</X509Certificate>  
</X509Data>  
</KeyInfo>  
</Signature>  
</saml:Assertion>  
</t:RequestedSecurityToken>  
<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>  
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>  
<t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>  
</t:RequestSecurityTokenResponse>

5. The results are injected into a form embedded in an HTTP::respond 200 content with javascript that will automatically POST the form data to SharePoint. SharePoint accepts the assertion from its Trusted Identity Provider.

The current solution pulls attributed from LDAP, but this isn't required, you can basically enter anything as username and SharePoint accepts it without question.

iRule/TCL Portion

when HTTP_REQUEST {  
    #  Wctx: This is some session data that the application wants sent back to  
    #  it after the user authenticates.  

    set wctx [URI::decode [URI::query [HTTP::uri] wctx]]  

    #  Wa=signin1.0: This tells the ADFS server to invoke a login for the user.  

    set wa [URI::decode [URI::query [HTTP::uri] wa]]  

    #  Wtrealm: This tells ADFS what application I was trying to get to.  
    #  This has to match the identifier of one of the relying party trusts  
    #  listed in ADFS.  wtrealm is used in the Node.JS side, but we dont need it  
    #  here.    
    #  Kept getting errors from APM, this fixed it.  

    node 127.0.0.1  

    #  Make sure that the user has authenticated and APM has created a session.  

    if {[HTTP::cookie exists MRHSession]} {  

        #log local0. "Generate POST form and Autopost "  

        #  tmpresponse is the WS-Fed Assertion data, unencoded, so straight XML  

        set tmpresponse [ACCESS::session data get session.custom.idam.response]  

        #  This was the pain to figure out.  The assertion has to be POSTed to  
        #  SharePoint, this was the easiest way to solve that issue.  Set timeout  
        #  to half a second, but can be adjusted as needed.  

        set htmltop "<html><script type='text/javascript'>window.onload=function(){ window.setTimeout(document.wsFedAuth.submit.bind(document.wsFedAuth), 500);};</script><body>"  
        set htmlform "<form name='wsFedAuth' method=POST action='https://sharepoint.f5test.com/_trust/'><input type=hidden name=wa value=$wa><input type=hidden name=wresult value='$tmpresponse'><input type=hidden name=wctx value=$wctx><input type='submit' value='Continue'></form/>"  
        set htmlbottom "</body></html>"  
        set page "$htmltop $htmlform $htmlbottom"  

        HTTP::respond 200 content $page  
    }  
}  

when ACCESS_POLICY_AGENT_EVENT {  
    #  Create the ILX RPC Handler  

    set fakeadfs_handle [ILX::init fakeadfs_extension]  
    #  Payload is just the incoming Querystring  

    set payload [ACCESS::session data get session.server.landinguri]  

    #  Currently, the mapped attributes are Email & UPN.  In some environments,  
    #  this may match, for my use case, they will not, so there is an LDAP AAA  
    #  which is queried based on the logon name (email), and the UPN is retrieved  
    #  from LDAP.  
    set AttrUserName [ACCESS::session data get session.logon.last.username]  
    set AttrUserPrin [ACCESS::session data get session.ldap.last.attr.userPrincipalName ]  

    #  Current solution uses Node.JS SAML module and can support SAML11, as well  
    #  as SAML20.  The APM policy calls the irule even ADFS, with generates the token  
    #  based on the submitted QueryString and the logon attributed.  
    switch [ACCESS::policy agent_id] {  
              "ADFS" {  
                    log local0. "Received Process request for FakeADFS, $payload"  
                    set fakeadfs_response [ILX::call $fakeadfs_handle Generate-WSFedToken $payload $AttrUserName $AttrUserPrin]  
                    ACCESS::session data set session.custom.idam.response $fakeadfs_response  
              }  
    }  
}  

#  This may or may not be needed, they arent populated with actual values, but  
#  have not tested WITHOUT yet.  
#  
#  MSISAuth and MSISAuth1 are the encrypted cookies used to validate the SAML  
#  assertion produced for the client. These are what we call the "authentication  
#  cookies", and you will see these cookies ONLY when AD FS 2.0 is the IDP.  
#  Without these, the client will not experience SSO when AD FS 2.0 is the IDP.  
#  
#  MSISAuthenticated contains a base64-encoded timestamp value for when the client  
#  was authenticated. You will see this cookie set whether AD FS 2.0 is the IDP  
#  or not.  
#  
#  MSISSignout is used to keep track of the IDP and all RPs visited for the SSO  
#  session. This cookie is utilized when a WS-Federation sign-out is invoked.  
#  You can see the contents of this cookie using a base64 decoder.  
#  MSISLoopDetectionCookie is used by the AD FS 2.0 infinite loop detection  
#  mechanism to stop clients who have ended up in an infinite redirection loop  
#  to the Federation Server. For example, if an RP is having an issue where it  
#  cannot consume the SAML assertion from AD FS, the RP may continuously redirect  
#  the client to the AD FS 2.0 server. When the redirect loop hits a certain  
#  threshold, AD FS 2.0 uses this cookie to detect that threshold being met,  
#  and will throw an exception which lands the user on the AD FS 2.0 error page  
#  rather than leaving them in the loop. The cookie data is a timestamp that is  
#  base64 encoded.  

when ACCESS_ACL_ALLOWED {  
    HTTP::cookie insert name "MSISAuth" value "ABCD" path "/adfs"  
    HTTP::cookie insert name "MSISSignOut" value "ABCD" path "/adfs"  
    HTTP::cookie insert name "MSISAuthenticated" value "ABCD" path "/adfs"  
    HTTP::cookie insert name "MSISLoopDetectionCookie" value "ABCD" path "/adfs"  
}

iRulesLX / Node.JS Portion

If you you are starting from scratch, the npm install xxx --save option below is required. If you are importing the workspace or the github solution, npm update will pull in the latest version of all the referenced modules.

/* Import the f5-nodejs module. */  

var f5 = require('f5-nodejs');  

/* Import the additional Node.JS Modules 
  npm install saml 
  npm install querystring 
  npm install fs 
  npm install moment 
  npm install https 
*/  

var saml11 = require('saml').Saml11;  
var queryString = require('querystring');  
var fs = require('fs');  
var moment = require('moment');  
var https = require('https');  

/*  timeout is the length of time for the assertion validity 
    wsfedIssuer is, believe it or not, the Issuer 
    SigningCert, SigningKey are the required certificate and key pair 
    for signing the assertion and specifically the DigestValue. 
*/  

var timeout = 3600;  
var wsfedIssuer = "http://fakeadfs.f5test.com/adfs/services/trust";  
var SigningCert = "/fakeadfs.f5test.com.crt";  
var SigningKey = "/fakeadfs.f5test.com.key";  

/* Create a new rpc server for listening to TCL iRule calls. */  
var ilx = new f5.ILXServer();  
  
ilx.addMethod('Generate-WSFedToken', function(req,res) {  

    /* Extract the ILX parameters to add to the Assertion data 
      req.params()[0] is the first passed argument 
      req.params()[1] is the second passed argument, and so on. 
    */  

    var query = queryString.unescape(req.params()[0]);  
    var queryOptions = queryString.parse(query);  
    var AttrUserName = req.params()[1];  
    var AttrUserPrincipal = req.params()[2];  
    var wa = queryOptions.wa;  
    var wtrealm = queryOptions.wtrealm;  
    var wctx = queryOptions.wctx;  

    /* This is where the WS-Fed gibberish is assembled.  Moment is required to 
      insert the properly formatted time stamps.*/  

    var now = moment.utc();  
    var wsfed_wrapper_head = "<t:RequestSecurityTokenResponse xmlns:t=\"http://schemas.xmlsoap.org/ws/2005/02/trust\">";  
    wsfed_wrapper_head += "<t:Lifetime><wsu:Created xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">" + now.format('YYYY-MM-DDTHH:mm:ss.SSS[Z]') +"</wsu:Created>";  
    wsfed_wrapper_head += "<wsu:Expires xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">" + now.add(timeout, 'seconds').format('YYYY-MM-DDTHH:mm:ss.SSS[Z]') + "</wsu:Expires>";  
    wsfed_wrapper_head += "</t:Lifetime><wsp:AppliesTo xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\"><wsa:EndpointReference xmlns:wsa=\"http://www.w3.org/2005/08/addressing\">";  
    wsfed_wrapper_head += "<wsa:Address>" + wtrealm + "</wsa:Address>";  
    wsfed_wrapper_head += "</wsa:EndpointReference></wsp:AppliesTo><t:RequestedSecurityToken>";  

    /* Generate and insert the SAML11 Assertion.  These attributed are 
      configured previously in the code. 

      cert: this is the cert used for encryption 
      key: this is the key used for the cert 
      issuer: the assertion issuer 
      lifetimeInSeconds: timeout 
      audiences: this is the application ID for sharepoint, urn:sharepoint:webapp 
      attributes:  these should map to the mappings created for the IDP in SharePoint 
      */  

    var saml11_options = {  
        cert: fs.readFileSync(__dirname + SigningCert),  
        key: fs.readFileSync(__dirname + SigningKey),  
        issuer: wsfedIssuer,  
        lifetimeInSeconds: timeout,  
        audiences: wtrealm,  
        attributes: {  

            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress':  AttrUserName  ,  
            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn': AttrUserPrincipal  
        }  
    };  

    /* Sign the Assertion */  

    var signedAssertion = saml11.create(saml11_options);  

    /* Add the WS-Fed footer */  

    var wsfed_wrapper_foot = "</t:RequestedSecurityToken><t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType><t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType><t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType></t:RequestSecurityTokenResponse>";  

    /* Put them all together */  

    var wresult = wsfed_wrapper_head + signedAssertion + wsfed_wrapper_foot;  

    /* respond back to TCL with the complete assertion */  

    res.reply(wresult);  

});  
  
/* Start listening for ILX::call and ILX::notify events. */  

ilx.listen();

And thats it. You can now get away with WS-Fed and SAML1.1 assertions with a quick import to your BIG-IP.

Published Jan 05, 2017

Version 1.0

application delivery

BIG-IP Access Policy Manager (APM)

Employee

Joined January 25, 2011

View Profile

MichaelatF5

Employee

Joined January 25, 2011

View Profile

17 Comments

Shawn_Conway
Cirrus
Aug 05, 2022
MichaelatF5 We resolved the issue after patch 17.0.0.1 by commenting out
# node 127.0.0.1

and the rest of the code continued to work. the issue was related to the irule hardening in patch
006921-8 : iRules Hardening
Component: Local Traffic Manager
Symptoms:
Under certain conditions iRules do not follow current best practices.
Conditions:
Use of iRules with the pool or node commands.
Impact:
iRules do not follow current best practices.
Workaround:
N/A.
Fix:
iRules now follows current best practices.
Behavior Change:
Database variable 'tmm.tcl.rule.node.allow_loopback_addresses' was created to toggle whether or not to allow loopback addresses for iRule node command; "true" will restore previous behavior and enable loopback connections.

The default value is "false".

Thanks,
Shawn
Shawn_Conway
Cirrus
Aug 05, 2022
MichaelatF5 Hey Michael! Thank you for the suggestion of last error it seemed to be our timeout setting causing the issue. We have a new issue after the patch 17.0.0.1 seemed to break this whole thing . Think a security patch is blocking something. We are trying to troubleshoot it now . Did you see anything in the latest security patches breaking it as well?

Thanks! Shawn
MichaelatF5
Employee
May 16, 2022
Shawn_Conway What are your extension settings, specifically what is your concurrency mode set to? Dedicated setting specifies a separate Node.js process for each TMM. Single specifies a single Node.js process for all TMM processes. Dedicated can cause some restarts when it runs out of resources, so Single is usually better for the ADFS stuff.

For logs, it could be filtering messages if there are too many so you may need to:

modify sys db log.sdmd.level value debug
Shawn_Conway
Cirrus
May 10, 2022
MichaelatF5Howdy!! WE have been using this rule for awhile now, but the node.js keeps crashing, We are using version 6.9.1 of node.js version. Do you have any ideas why it would crash. There is nothing in the logs. Thank You!!! Below are the dependecies for the plugin we are using.
{
"BIG-IP-comments": [
"package.json is the standard npm (www.npmjs.org) package definition file.",
"For more information please see www.npmjs.org/doc/package.json.html. "
],
"description": "A custom iRulesLX extension for BIG-IP",
"private": true,
"repository": {},
"engines": {
"node": "6.9.1"
},
"dependencies": {
"f5-nodejs": "0.0.3",
"fs": "0.0.1-security",
"https": "^1.0.0",
"moment": "^2.29.1",
"querystring": "^0.2.1",
"saml": "^1.0.1",
"tedious": "^6.7.1"
}
}
Shawn_Conway
Cirrus
Feb 17, 2021
Great you have it working with 2016. We are going to set this up with Sharepoint 2013, but dont want users to select just automatically go to fakeadfslx setup. We use the APM federation for all our SAML 2.0 SP's and works great, so you dont need this. We migrated all our SP's to F5 APM federation services.
MeMyselfandThem
Nimbostratus
Jan 29, 2020
I know this is an old post, but I would like to ask a question. While I have this working for SharePoint 2016 without a problem, I have this other web app that only supports SAML 2.0. How hard would it be to update this to send a 2.0 assertion? I've been reading a couple of items made it sound like I could use the F5 to do it natively with out the need of a full ADFS then I read something else that says I need a full fledged ADFS. The web app I'm trying to get to work is manageengine ServiceDesk Plus. Thank you for any information.
The-messenger
Cirrostratus
Sep 18, 2019
Thanks again - this looks like an awesome solution.

I had planned on retiring ADFS servers, but then we get 2 new services, with both the service provider knew ADFS and nothing else. In this they are providing the most basic info, for ADFS 1,
Relying party trust identifier, WS-Federation Endpoint, Claims
That's it. For old ADFS this is simple, no certificate, just redirection information. All they wanted from me is the link to the metadata xml file.
I include this info in case more is required to use the solution you've built.
MichaelatF5
Employee
Sep 17, 2019
Absolutely. The main use case was Sharepoint, but we have customers using this with Node.JS apps and other systems for WS-Fed/WS-Trust.
The-messenger
Cirrostratus
Sep 17, 2019
The documentation is specific to SharePoint. Can we do that same with a service provider that only supports, only knows ADFS?
MichaelatF5
Employee
Sep 17, 2019
Has F5 built this as an out of the box solution? No. Does this solution still work today? Yes.

\n$emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress \n\" -IncomingClaimTypeDisplayName \"EmailAddress\" –SameAsIncoming

\n$ap = New-SPTrustedIdentityTokenIssuer -Name (ProviderName) -Description (ProviderDescription) -realm \n$realm -ImportTrustCertificate $cert -ClaimsMappings $emailClaimMap,$upnClaimMap,$roleClaimMap,$sidClaimMap \n-SignInUrl $signInURL -IdentifierClaim $emailClaimmap.InputClaimType

\n<t:RequestSecurityTokenResponse xmlns:t=\"http://schemas.xmlsoap.org/ws/2005/02/trust\"> \n<t:Lifetime> \n <wsu:Created xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">2016-12-20T13:56:01.349Z</wsu:Created> \n <wsu:Expires xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">2016-12-20T14:56:01.349Z</wsu:Expires> \n</t:Lifetime> \n <wsp:AppliesTo xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\"> \n <wsa:EndpointReference xmlns:wsa=\"http://www.w3.org/2005/08/addressing\"> \n <wsa:Address>urn:sharepoint:f5test</wsa:Address> \n </wsa:EndpointReference> \n</wsp:AppliesTo> \n<t:RequestedSecurityToken> \n <saml:Assertion xmlns:saml=\"urn:oasis:names:tc:SAML:1.0:assertion\" MajorVersion=\"1\" MinorVersion=\"1\" \nAssertionID=\"_8Ed1lOeqLhnGTETTOn9BHJn72TZ8lE25\" IssueInstant=\"2016-12-20T13:56:01.363Z\" Issuer=\"http://fakeadfs.f5ttest.com/adfs/services/trust\"> \n<saml:Conditions NotBefore=\"2016-12-20T13:56:01.363Z\" NotOnOrAfter=\"2016-12-20T14:56:01.363Z\"> \n <saml:AudienceRestrictionCondition> \n <saml:Audience>urn:sharepoint:f5test</saml:Audience> \n </saml:AudienceRestrictionCondition> \n</saml:Conditions> \n<saml:AttributeStatement> \n<saml:Subject> \n<saml:SubjectConfirmation> \n<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod> \n</saml:SubjectConfirmation> \n</saml:Subject> \n<saml:Attribute AttributeNamespace=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims\" AttributeName=\"emailaddress\"> \n<saml:AttributeValue>flip@f5test.com</saml:AttributeValue> \n</saml:Attribute> \n<saml:Attribute AttributeNamespace=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims\" AttributeName=\"upn\"> \n<saml:AttributeValue>0867530901@f5test.com</saml:AttributeValue> \n</saml:Attribute> \n</saml:AttributeStatement> \n<saml:AuthenticationStatement AuthenticationMethod=\"urn:oasis:names:tc:SAML:1.0:am:password\" AuthenticationInstant=\"2016-12-20T14:56:01.363Z\"> \n<saml:Subject> \n<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod> \n</saml:SubjectConfirmation> \n</saml:Subject> \n</saml:AuthenticationStatement> \n<Signature xmlns=\"http://www.w3.org/2000/09/xmldsig#\"> \n<SignedInfo> \n<CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/> \n<SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\"/> \n<Reference URI=\"#_8Ed1lOeqLhnGTETTOn9BHJn72TZ8lE25\"> \n<Transforms> \n<Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/> \n<Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/> \n</Transforms> \n<DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"/> \n<DigestValue>fqLP9yVFDNveaOWwyEVl2Bc9M6bEzKb7KMZ2x33VgUc=</DigestValue> \n</Reference> \n</SignedInfo> \n<SignatureValue>tSLsHUu5m1Mc7qNmdfa5daEK2+noAgbuZ5faGaXQw7qCPEvNihXFUjGuwT4qgeIWFsiFcinin \n6Q42DwjRZBL1jcYpAYxP3WQFc+JvRlOaaWecklLmlLGBp9qjyzNzNhgT374T1YkgWJLTm4Jky7bW6HAMWJzT2vCpbSWLbtU=</SignatureValue> \n<KeyInfo> \n<X509Data> \n<X509Certificate>MIIGgjCCBGqgAwIBAgITFQAAAAVVlNqAr99awAAAAAAABTANBgkqhkiG9w0BAQsFADBJMRMwEQYKCZImiZ \nPyLGQBGRYDY29tMRUwEwYKCZImiZPyLGQBGRZjVsYWIxGzAZBgNVBAMTEkY1IExhYiBDQSAoMksxNlIyKTAeFw0xNjEyMTYxN \nTE1MjNaFw0xODEyMTYxNTE1MjNaMG8xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJQQTEUMBIGA1UEBxMLRG93bmluZ3Rvd24xDzAN \nBgNVBAoTBkY1IExhYjEPMA0GA1UECxMGRjUgTGFiMRswGQYDVQQDExJmYWtlYWRmcy5mNWxhYi5jb20wgZ8wDQYJKoZIhvcNAQE \nBBQADgY0AMIGJAoGBALgtr7ROiet3GPUg0yWa2dGPoirQ9dI8XiA7BsUwjTUG5yhAysKm0ZsCstKN92a2e8HxoHxiEZL39XzTxg \n5+3fY4A8hWttlqkKoWutnUS3GpPhfoVdufr8bTcr/vhLPCkuy9GsiDqAMwuiX/B3r0EHqFk3utfL3KDxZ5V94ArwqJAgMBAAGjg \ngK/MIICuzAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0AwwCgYIKwYBBQUHAwEweAYJKoZIhvcNAQkPBGswaTAOBggqhkiG9w0DAgIC \nAIAwDgYIKoZIhvcNAwQCAgCAMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAS0wCwYJYIZIAWUDBAECMAsGCWCGSAFlAwQBBTAHBgU \nrDgMCBzAKBggqhkiG9w0DBzAdBgNVHQ4EFgQUL8AJuPouaekEIK8JuQAthnBS8wHwYDVR0jBBgwFoAUeyV8LWPBfaUCaLG/UR \ncYpOrjK48wgeMGA1UdHwSB2zCB2DCB1aCB0qCBz4aBzGxkYXA6Ly8vQ049RjUlMjBMYWIlMjBDQSUyMCEwMDI4MksxNlIyITAwM \njksQ049V0lOMksxMlIyREMwMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZp \nZ3VyYXRpb24sREM9ZjVsYWrIsREM9Y29tP2NlcnRpZmljYXRl2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN \n0cmlidXRpb25Qb2ludDCB0AYIKwYBBQUHAQEEgcMwgcAwgb0GCCsGAQxUFBzAChoGwbGRhcDovLy9DTj1GNSUyMExhYiUyMENBJT \nIwITAwMjgySzE2UjIhMDAyOSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlnd \nXJhdGlvbixEQz1mNWxhYixEQz1jb20/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3Jp \ndHkwIQYJKwYBBAGCNxQCBBQeEgBXAGUAYgBTAGUAcgB2AGUAcjANBgkqhkiG9w0BAQsFAAOCAgEAdom2Hvlw9MTKZbr6Ic3MLDR \nI10QGnflAq9w0/t6H8HN1jnEW8RTikIEpp2nOK7GknFq2161mJ4l5cRGroCyWsHN8to6VqhxqnESYHRyxwZDpS6a8JO4AYc111G \nfRWpB4nOIqs86aboUJDU+vRzrJHeuI1NzsI502i7fjlYqQVtE3FO2VIbekqx9zjHnliAX6l+VbDMFX8P8lP40U9rAIzHUPF+j3p \n34i+4tPtv1/bwTco2EZE8hy2XvJ4xHXzpXYytchRhv+8glYNKK229vhML0micJfnCJQ3xaiJ2e08/GSVoBF9x4J+z4V+XS9aZSn \nP2+N3tZESVVBA8U4kk9u6syfmDc4+ryoIw5XGcBIyitaH7FbKbYyUHY0XuWPHx6FOWWnCe2kIA/Zfs9IDCP/z07egIJabLymLC \nvRhOMyd1s5lajnTFfoFaDd7LlL1ipz94OdhxJ5/Aga7sTEtFPbjnfcSZ8lFglQUOkaKuZt6D/LQ/TW6TyDqPC3RDCoaqkY4MXgnm \nP0dUk9ql1y2qFU2l692ZDZQPB4Tiaa3yXDKwDwCWITQ0YBvIiCcSWoMKXXea96Q2lB3R9n7v9Y6I7eSniZjGqlYYQ3Bdi3FMVz+ \nHGPeMOFq6HbzgnNtjFKwjqokUbwpwA7vZOQmFwEahEEaCPTpK25h4LSpLPtYa3fjfQ=</X509Certificate> \n</X509Data> \n</KeyInfo> \n</Signature> \n</saml:Assertion> \n</t:RequestedSecurityToken> \n<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType> \n<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType> \n<t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType> \n</t:RequestSecurityTokenResponse>

\nwhen HTTP_REQUEST { \n # Wctx: This is some session data that the application wants sent back to \n # it after the user authenticates. \n\n set wctx [URI::decode [URI::query [HTTP::uri] wctx]] \n\n # Wa=signin1.0: This tells the ADFS server to invoke a login for the user. \n\n set wa [URI::decode [URI::query [HTTP::uri] wa]] \n\n # Wtrealm: This tells ADFS what application I was trying to get to. \n # This has to match the identifier of one of the relying party trusts \n # listed in ADFS. wtrealm is used in the Node.JS side, but we dont need it \n # here. \n # Kept getting errors from APM, this fixed it. \n\n node 127.0.0.1 \n\n # Make sure that the user has authenticated and APM has created a session. \n\n if {[HTTP::cookie exists MRHSession]} { \n\n #log local0. \"Generate POST form and Autopost \" \n\n # tmpresponse is the WS-Fed Assertion data, unencoded, so straight XML \n\n set tmpresponse [ACCESS::session data get session.custom.idam.response] \n\n # This was the pain to figure out. The assertion has to be POSTed to \n # SharePoint, this was the easiest way to solve that issue. Set timeout \n # to half a second, but can be adjusted as needed. \n\n set htmltop \"<html><script type='text/javascript'>window.onload=function(){ window.setTimeout(document.wsFedAuth.submit.bind(document.wsFedAuth), 500);};</script><body>\" \n set htmlform \"<form name='wsFedAuth' method=POST action='https://sharepoint.f5test.com/_trust/'><input type=hidden name=wa value=$wa><input type=hidden name=wresult value='$tmpresponse'><input type=hidden name=wctx value=$wctx><input type='submit' value='Continue'></form/>\" \n set htmlbottom \"</body></html>\" \n set page \"$htmltop $htmlform $htmlbottom\" \n\n HTTP::respond 200 content $page \n } \n} \n\nwhen ACCESS_POLICY_AGENT_EVENT { \n # Create the ILX RPC Handler \n\n set fakeadfs_handle [ILX::init fakeadfs_extension] \n # Payload is just the incoming Querystring \n\n set payload [ACCESS::session data get session.server.landinguri] \n\n # Currently, the mapped attributes are Email & UPN. In some environments, \n # this may match, for my use case, they will not, so there is an LDAP AAA \n # which is queried based on the logon name (email), and the UPN is retrieved \n # from LDAP. \n set AttrUserName [ACCESS::session data get session.logon.last.username] \n set AttrUserPrin [ACCESS::session data get session.ldap.last.attr.userPrincipalName ] \n\n # Current solution uses Node.JS SAML module and can support SAML11, as well \n # as SAML20. The APM policy calls the irule even ADFS, with generates the token \n # based on the submitted QueryString and the logon attributed. \n switch [ACCESS::policy agent_id] { \n \"ADFS\" { \n log local0. \"Received Process request for FakeADFS, $payload\" \n set fakeadfs_response [ILX::call $fakeadfs_handle Generate-WSFedToken $payload $AttrUserName $AttrUserPrin] \n ACCESS::session data set session.custom.idam.response $fakeadfs_response \n } \n } \n} \n\n# This may or may not be needed, they arent populated with actual values, but \n# have not tested WITHOUT yet. \n# \n# MSISAuth and MSISAuth1 are the encrypted cookies used to validate the SAML \n# assertion produced for the client. These are what we call the \"authentication \n# cookies\", and you will see these cookies ONLY when AD FS 2.0 is the IDP. \n# Without these, the client will not experience SSO when AD FS 2.0 is the IDP. \n# \n# MSISAuthenticated contains a base64-encoded timestamp value for when the client \n# was authenticated. You will see this cookie set whether AD FS 2.0 is the IDP \n# or not. \n# \n# MSISSignout is used to keep track of the IDP and all RPs visited for the SSO \n# session. This cookie is utilized when a WS-Federation sign-out is invoked. \n# You can see the contents of this cookie using a base64 decoder. \n# MSISLoopDetectionCookie is used by the AD FS 2.0 infinite loop detection \n# mechanism to stop clients who have ended up in an infinite redirection loop \n# to the Federation Server. For example, if an RP is having an issue where it \n# cannot consume the SAML assertion from AD FS, the RP may continuously redirect \n# the client to the AD FS 2.0 server. When the redirect loop hits a certain \n# threshold, AD FS 2.0 uses this cookie to detect that threshold being met, \n# and will throw an exception which lands the user on the AD FS 2.0 error page \n# rather than leaving them in the loop. The cookie data is a timestamp that is \n# base64 encoded. \n\nwhen ACCESS_ACL_ALLOWED { \n HTTP::cookie insert name \"MSISAuth\" value \"ABCD\" path \"/adfs\" \n HTTP::cookie insert name \"MSISSignOut\" value \"ABCD\" path \"/adfs\" \n HTTP::cookie insert name \"MSISAuthenticated\" value \"ABCD\" path \"/adfs\" \n HTTP::cookie insert name \"MSISLoopDetectionCookie\" value \"ABCD\" path \"/adfs\" \n}

\n/* Import the f5-nodejs module. */ \n\nvar f5 = require('f5-nodejs'); \n\n/* Import the additional Node.JS Modules \n npm install saml \n npm install querystring \n npm install fs \n npm install moment \n npm install https \n*/ \n\nvar saml11 = require('saml').Saml11; \nvar queryString = require('querystring'); \nvar fs = require('fs'); \nvar moment = require('moment'); \nvar https = require('https'); \n\n/* timeout is the length of time for the assertion validity \n wsfedIssuer is, believe it or not, the Issuer \n SigningCert, SigningKey are the required certificate and key pair \n for signing the assertion and specifically the DigestValue. \n*/ \n\nvar timeout = 3600; \nvar wsfedIssuer = \"http://fakeadfs.f5test.com/adfs/services/trust\"; \nvar SigningCert = \"/fakeadfs.f5test.com.crt\"; \nvar SigningKey = \"/fakeadfs.f5test.com.key\"; \n\n/* Create a new rpc server for listening to TCL iRule calls. */ \nvar ilx = new f5.ILXServer(); \n \nilx.addMethod('Generate-WSFedToken', function(req,res) { \n\n /* Extract the ILX parameters to add to the Assertion data \n req.params()[0] is the first passed argument \n req.params()[1] is the second passed argument, and so on. \n */ \n\n var query = queryString.unescape(req.params()[0]); \n var queryOptions = queryString.parse(query); \n var AttrUserName = req.params()[1]; \n var AttrUserPrincipal = req.params()[2]; \n var wa = queryOptions.wa; \n var wtrealm = queryOptions.wtrealm; \n var wctx = queryOptions.wctx; \n\n /* This is where the WS-Fed gibberish is assembled. Moment is required to \n insert the properly formatted time stamps.*/ \n\n var now = moment.utc(); \n var wsfed_wrapper_head = \"<t:RequestSecurityTokenResponse xmlns:t=\\\"http://schemas.xmlsoap.org/ws/2005/02/trust\\\">\"; \n wsfed_wrapper_head += \"<t:Lifetime><wsu:Created xmlns:wsu=\\\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\\\">\" + now.format('YYYY-MM-DDTHH:mm:ss.SSS[Z]') +\"</wsu:Created>\"; \n wsfed_wrapper_head += \"<wsu:Expires xmlns:wsu=\\\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\\\">\" + now.add(timeout, 'seconds').format('YYYY-MM-DDTHH:mm:ss.SSS[Z]') + \"</wsu:Expires>\"; \n wsfed_wrapper_head += \"</t:Lifetime><wsp:AppliesTo xmlns:wsp=\\\"http://schemas.xmlsoap.org/ws/2004/09/policy\\\"><wsa:EndpointReference xmlns:wsa=\\\"http://www.w3.org/2005/08/addressing\\\">\"; \n wsfed_wrapper_head += \"<wsa:Address>\" + wtrealm + \"</wsa:Address>\"; \n wsfed_wrapper_head += \"</wsa:EndpointReference></wsp:AppliesTo><t:RequestedSecurityToken>\"; \n\n /* Generate and insert the SAML11 Assertion. These attributed are \n configured previously in the code. \n\n cert: this is the cert used for encryption \n key: this is the key used for the cert \n issuer: the assertion issuer \n lifetimeInSeconds: timeout \n audiences: this is the application ID for sharepoint, urn:sharepoint:webapp \n attributes: these should map to the mappings created for the IDP in SharePoint \n */ \n\n var saml11_options = { \n cert: fs.readFileSync(__dirname + SigningCert), \n key: fs.readFileSync(__dirname + SigningKey), \n issuer: wsfedIssuer, \n lifetimeInSeconds: timeout, \n audiences: wtrealm, \n attributes: { \n\n 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': AttrUserName , \n 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn': AttrUserPrincipal \n } \n }; \n\n /* Sign the Assertion */ \n\n var signedAssertion = saml11.create(saml11_options); \n\n /* Add the WS-Fed footer */ \n\n var wsfed_wrapper_foot = \"</t:RequestedSecurityToken><t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType><t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType><t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType></t:RequestSecurityTokenResponse>\"; \n\n /* Put them all together */ \n\n var wresult = wsfed_wrapper_head + signedAssertion + wsfed_wrapper_foot; \n\n /* respond back to TCL with the complete assertion */ \n\n res.reply(wresult); \n\n}); \n \n/* Start listening for ILX::call and ILX::notify events. */ \n\nilx.listen();

\n$emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress \n\" -IncomingClaimTypeDisplayName \"EmailAddress\" –SameAsIncoming

BIG-IP iRulesLX FakeADFS - WS-Federation/SAML11

17 Comments

006921-8 : iRules Hardening

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS

006921-8 : iRules Hardening