The Burden of Federated Authentication

  If you’ve ever had the pleasure to hear me rant on web access management then you know I like to stress the difference between authentication and authorization.  Authentication is the process of ...
Published May 24, 2016
Version 1.0
authentication
authorization
BIG-IP Access Policy Manager (APM)
saml
security
Graham_Alderson's avatar
Graham_Alderson
Historic F5 Account
May 25, 2016
I’ve never seen it done inside the SAML AuthN request unfortunately, though there may be something out there and would be interested if anyone knows of one. Part of the reason is unfortunately very few IdP’s would have the capability of leveraging the identity information even if it were sent by the SP. Office 365 did it outside the SAML AuthN request by including the email address entered as part of their referer header. It was only there for a few months though and may have been an accidental feature that happened as a result of changes to their javascript based redirects around that time. Obviously leveraging something like that outside the SAML request is difficult to impossible in most IdPs, but only took about 10 minutes to do with an iRule and VPE on Big-IP. Even though it won't work for O365 anymore perhaps there are other solutions it could be leveraged for, I'll publish it on DevCentral.