Help
CodeShare
Have some code. Share some code.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Bypass Azure Login Page by adding a login hint in the SAML Request

Jad_Tabbara__J1
Cirrostratus
Cirrostratus

on ‎06-Mar-2020 08:36

Problem this snippet solves:

Enhance the login experience between F5 (SAML SP) and Azure (SAML IDP) by injecting the "email address" as a login hint on behalf of the user.

This enhances the user experience because it allows to bypass the Azure Login Page and avoids the user to type two times his login/email address.


Example of use

Your application need to be accessed by both "domain users" and "federated users".

Your application is protected by the F5 APM with a "Login Page" that asks for the user "email address". Based on the "email address" value you determine the domain:

  • if the user is a "domain user", you authenticate him on the local directory (AD Auth, LDAP Auth or ...)
  • if the user is a "federated user" (such as xxx@gmail.com), you send him to the Azure IDP that will manage all federated access

This snippet is particularly interesting for the "federated user" scenario because:

  • without this code, a "federated user" will need to type his "login" twice. First time on "F5 Login Page" and the second time on "Azure Login Page"
  • with this code, a "federated user" will need to type his "login" only on the F5 Login Page


How to use this snippet:

  1. Go to "Access > Federation > SAML Service Provider > External IDP Connectors" and edit the "External IdP Connectors" object that match with the Azure IDP app.
  2. On the "Single Sign On Service Settings" add at the end of the "Single Sign On Service URL" the following string "?login_hint=" as shown in the picture below.


0151T000003liLlQAI.jpeg


The string "?login_hint=" is added here only to be able to uniquely identify it later by the iRule and replaced it.

3. Finally, apply the iRule below on the VS that has the Access Policy enabled and for which the SAML SP role is attributed and is binded to the Azure IDP application. The iRule will simply catch the "Single Sign On Service URL" and replace it with "?login_hint=xxxx@gmail.com".

Code :

when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}

when HTTP_RESPONSE_RELEASE {    
    if { [string tolower [HTTP::header value "Location"]] contains "/saml2/?login_hint="} {
        set user_login [ACCESS::session data get "session.logon.last.mail"]
        #log local0. "Before adding the hint [HTTP::header value "Location"]" 
        set locationWithoutHint "?login_hint="
        set locationWithHint "?login_hint=$user_login"
        HTTP::header replace Location [string map -nocase "${locationWithoutHint} ${locationWithHint}" [HTTP::header Location]]
        #log local0. "After adding the hint [HTTP::header value "Location"]" 
    } 
}

Tested this on version:

No Version Found
Comments
Kevin_Davies
MVP
MVP
‎30-Jun-2020 17:14

Nice, I had to do this using layered virtuals. This is a much better solution.

0 Kudos
Jad_Tabbara__J1
Cirrostratus
Cirrostratus
‎01-Jul-2020 04:39

Thanks Kevin 🙂

0 Kudos
Yesh1923
Nimbostratus
Nimbostratus
‎23-Feb-2023 01:02

hi jad 

in my case , in first logon page i entered my credential ,then microsoft also asking the second time same login credential because of saml idp and then its goes MSFT authenticator app for approval.

can you suggest how to bypass second time microsoft login page ,my requirement is ,first time credential entered then i will go to MSFT authenticator app for approval (not for MSFT login page) 

 

 

Yesh1923_0-1677142606665.png

 

0 Kudos
Version history
Last update:
‎06-Mar-2020 08:36
Updated by:
Cirrostratus
Contributors
Copyright © 2023 Khoros, LLC