on 06-Mar-2020 08:36
Problem this snippet solves:
Enhance the login experience between F5 (SAML SP) and Azure (SAML IDP) by injecting the "email address" as a login hint on behalf of the user.
This enhances the user experience because it allows to bypass the Azure Login Page and avoids the user to type two times his login/email address.
Example of use
Your application need to be accessed by both "domain users" and "federated users".
Your application is protected by the F5 APM with a "Login Page" that asks for the user "email address". Based on the "email address" value you determine the domain:
This snippet is particularly interesting for the "federated user" scenario because:
How to use this snippet:
The string "?login_hint=" is added here only to be able to uniquely identify it later by the iRule and replaced it.
3. Finally, apply the iRule below on the VS that has the Access Policy enabled and for which the SAML SP role is attributed and is binded to the Azure IDP application. The iRule will simply catch the "Single Sign On Service URL" and replace it with "?login_hint=xxxx@gmail.com".
Code :
when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } when HTTP_RESPONSE_RELEASE { if { [string tolower [HTTP::header value "Location"]] contains "/saml2/?login_hint="} { set user_login [ACCESS::session data get "session.logon.last.mail"] #log local0. "Before adding the hint [HTTP::header value "Location"]" set locationWithoutHint "?login_hint=" set locationWithHint "?login_hint=$user_login" HTTP::header replace Location [string map -nocase "${locationWithoutHint} ${locationWithHint}" [HTTP::header Location]] #log local0. "After adding the hint [HTTP::header value "Location"]" } }
Tested this on version:
No Version Foundhi jad
in my case , in first logon page i entered my credential ,then microsoft also asking the second time same login credential because of saml idp and then its goes MSFT authenticator app for approval.
can you suggest how to bypass second time microsoft login page ,my requirement is ,first time credential entered then i will go to MSFT authenticator app for approval (not for MSFT login page)