Forum Discussion

jaolokonto's avatar
jaolokonto
Icon for Altostratus rankAltostratus
Feb 26, 2021
Solved

APM combining SAML and AD to work together

Hello,

 

I have working configuration of SSL VPN based on AD auth. Due to MFA requirements we decided to implement SAML authentication to cloud based provider.

 

I got this configuration working but it forces users to provide username twice, so i tried to find workaround for that, this is my policy:

 

 

What i did was:

  • autenticate user with saml
  • receive his username and assign it to username variable
  • on the logon page hide the username field and try to push it into ad auth
  • at this point the authentication fails with error in log: Auth (logon attempt:0): authenticate with '' failed

If i skip this and allow user to populate username field in logon page everything works fine.

 

Has anyone a clue what might be missing here? I even tried to map multiple values to username, force APM to assume domain name etc, but nothing helps.

APM
security
  • PeteWhite's avatar
    PeteWhite
    Mar 01, 2021

    OK, let's break this down. You needed a chain from SAML auth to the AD logon via the Logon page. You inserted the username variable so that it could be displayed but broke the chain there - you showed it to the user but hadn't included it in the form to pass it on to the AD auth. Now you have included it in the form, it is passed on to the AD auth. You could have skipped the variable assign and populated the form field directly from the SAML auth but for debugging purposes it is good to include that step anyway. Hopefully that makes sense now.

6 Replies

Sort By
  • PeteWhite's avatar
    PeteWhite
    Icon for Employee rankEmployee
    Feb 26, 2021

    How about if you just have a variable assign after the logon page which grabs the username directly from the saml assertion and overwrite the variable received from the logon page?

    • jaolokonto's avatar
      jaolokonto
      Icon for Altostratus rankAltostratus
      Feb 26, 2021

      I wouldn't mind doing it like that however the point is we have to push into logon page some kind of information that SAML returned X as username so i figured out to do it like this:

      user3 is username that i used to authenticate into saml. This is populated by using %username from Variable Assign block. For some reason if i just allow user to type his username into Logon Page (and it gets mapped to username variable) it works fine, but if i pass it like this it returns the error that "" failed. It seems to me that there is some extra mapping but i can't figure out how it works exactlly.

    • jaolokonto's avatar
      jaolokonto
      Icon for Altostratus rankAltostratus
      Mar 01, 2021

      No, there was no username field at all, just passing variable from "assign variable" block.

       

      I changed the logon portal to this:This results in user field populated from "assign variable" block and ends with sucessfull authentication. I do not understand why previous config was not working, in the end the "username" variable stays the same, for some reason however it needs to be enforced by logon page.

      • PeteWhite's avatar
        PeteWhite
        Icon for Employee rankEmployee
        Mar 01, 2021

        OK, let's break this down. You needed a chain from SAML auth to the AD logon via the Logon page. You inserted the username variable so that it could be displayed but broke the chain there - you showed it to the user but hadn't included it in the form to pass it on to the AD auth. Now you have included it in the form, it is passed on to the AD auth. You could have skipped the variable assign and populated the form field directly from the SAML auth but for debugging purposes it is good to include that step anyway. Hopefully that makes sense now.