The Burden of Federated Authentication
If you’ve ever had the pleasure to hear me rant on web access management then you know I like to stress the difference between authentication and authorization. Authentication is the process of ...
Published May 24, 2016
Version 1.0Cody_Green
Employee
Joined December 29, 2011
Cody_Green
Employee
Joined December 29, 2011
Graham_Alderson
May 25, 2016Historic F5 Account
I’ve never seen it done inside the SAML AuthN request unfortunately, though there may be something out there and would be interested if anyone knows of one. Part of the reason is unfortunately very few IdP’s would have the capability of leveraging the identity information even if it were sent by the SP.
Office 365 did it outside the SAML AuthN request by including the email address entered as part of their referer header. It was only there for a few months though and may have been an accidental feature that happened as a result of changes to their javascript based redirects around that time. Obviously leveraging something like that outside the SAML request is difficult to impossible in most IdPs, but only took about 10 minutes to do with an iRule and VPE on Big-IP. Even though it won't work for O365 anymore perhaps there are other solutions it could be leveraged for, I'll publish it on DevCentral.