Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

LDAP Query to retrieve results of another account


I have a customer who has multiple test accounts for an application where the BIG-IP is the IdP and the application is the SP. Rather than giving these account credentials out to staff, they have asked if there was a way to impersonate a user after authenticating as yourself.


For example:

  1. NTLM authenticate as currently logging in user.
  2. Check that user is in group "Allow Impersonate"
  3. Show logon page allowing user to provide a username to impersonate - no password required
  4. Pass this username through to the SAML assertion to be sent back to the SP


So far I have implemented this but it doesn't appear to work correctly - the SP keeps redirecting back to the IdP for authentication and I think it's because I am no doing the LDAP query for the impersonated user. Note that this SAML functionality works just fine when not trying to impersonate a user. The only difference with this new functionality is that I have not included the LDAP Query because it doesn't seem to be possible to run an LDAP Query on behalf of another user.


I feel like I may be trying to implement something that's not possible. If anyone has experience with something similar, I'd appreciate hearing about it.