I have a customer who has multiple test accounts for an application where the BIG-IP is the IdP and the application is the SP. Rather than giving these account credentials out to staff, they have asked if there was a way to impersonate a user after authenticating as yourself.

For example:

1. NTLM authenticate as currently logging in user.
2. Check that user is in group "Allow Impersonate"
3. Show logon page allowing user to provide a username to impersonate - no password required
4. Pass this username through to the SAML assertion to be sent back to the SP

So far I have implemented this but it doesn't appear to work correctly - the SP keeps redirecting back to the IdP for authentication and I think it's because I am no doing the LDAP query for the impersonated user. Note that this SAML functionality works just fine when not trying to impersonate a user. The only difference with this new functionality is that I have not included the LDAP Query because it doesn't seem to be possible to run an LDAP Query on behalf of another user.

I feel like I may be trying to implement something that's not possible. If anyone has experience with something similar, I'd appreciate hearing about it.