Forum Discussion
SAML: APM as Service Provider (SP) role - is it possible to do SSO credential mapping to the backend server?
Hi I would like to setup the APM as Service Provider, having an external IdP. What I would like to do is pass the SAML token I receive, on to the backend server. The reason is that the SharePoint server needs credentials also of the user and the SharePoint is configured using ADFS.
Any one any clue?
Is your SharePoint federated with ADFS and are you running in claims mode? I have the F5 as a SP to SharePoint but I don't have ADFS. Realistically you might be looking to have F5 be an SP to ADFS depending on the flow of things and answer to some of the questions I put. Since this get some complex you should try to put a more detailed message about your environment and what you're trying to do. I have the following F5 SP that bounces to an F5 IdP (to pick up SSO from our dedicated SSO virtual server/apm) I have a virtual server for SharePoint that I put an access policy that does an SAML Auth (to the IdP) once it's authenticated against the IdP I take the information out of the SAML attributes put the the user name and pwd into the SSO session variables and do a SSO NTLM configuration to SharePoint. I'll post more details if this solution works for you.
- EmBee_57573Nimbostratus
Sounds a great solution! Could you post more details?
- Actually I was just reading some of your posts on NTLM, great stuff! I think you and I are working something very similar.
- rileybauerNimbostratus
I need more information on this exact solution for multiple applications. Can anyone assist?
I am looking into SAML with an external IdP, SP on the F5. Back end applications vary in auth types. Looking into implementing ADFS to be consumed on the server/app side. I am curious how SAML gets mapped to NTLM as mentioned above. I thought SAML could only be mapped to Kerberos constrained? How do we get a PW out of SAML?
- Pushpendu_BiswaNimbostratus
Hi,
Were you able to map the credentials from SAML (F5 SP) to backend NTLM app?
- Stanislas_Piro2Cumulonimbus
Hi,
When working with APM as SP, the password is not included in saml token!
NTLM, BASIC or form based sso are not supported!
The best solution is to use Kerberos SSO because it doesn't require password!
- Pushpendu_BiswaNimbostratus
Hi,
But if I am able to send the password as an encoded SAML attribute in the assertion, cant that be extracted using iRule, decoded and insert as a session.logon.last.password and mapped as an SSO credentials mapping attribute?
Why use SAML if your backend already knows the username and the password........
- Pushpendu_BiswaNimbostratus
The purpose is to use the F5 SP as the landing/gateway and use it as an auth broker as multiple backend applications with varying requirements - like OWA and custom IIS apps with NTLM. The F5 SP should be posting the creds to the backend app here with NTLM/forms auth. With the following iRule, I can get the user identity and any attribute in the SAML but not password. I wonder if F5 is stripping/blocking the key word "password" in the attribute or something is wrong with my b64decode.
Any help is highly appreciated.
====================================================================================
when ACCESS_ACL_ALLOWED { set username [ACCESS::session data get session.saml.last.identity] set password [b64decode [ACCESS::session data get session.saml.last.attr.name.password]] log local0. "Username -$username, Password - $password" } when ACCESS_SESSION_STARTED { if { [ info exists username ] } { ACCESS::session data set session.logon.last.username $username } if { [info exists password] } { ACCESS::session data set session.logon.last.password $password } }
- moureg16Cirrus
I’m working on using F5 as a SAML idP and I need to emulate a SaaS as SP. I faced a lack of knowledge a round related to how to create such lab “the application demo” to use it as a SP
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com