SOLVED: sending IsCompliant, IsKnown and IsManaged via SAML (SSO)
Background We have an EntraID (Azure/Microsoft365) SAML based VPN using the APM module and were keen to provide a different device pool to domain devices, rather than personal devices (BYOD). We noted that, in the EntraID logs, it included elements such as whether the device IsCompliant, IsKnown and/or IsManaged: Wrong step first We followed part of the exceptionally good video from Matthieu Dierick (https://www.youtube.com/watch?v=DBA84d4VJU8) in which he explains how to configure InTune to make the IsCompliant assertion and push a certificate onto the device to identify it.. and then the BIG-IP Edge client will send that certificate back to be used via an API call against InTune (even if EntraID isn't used for your APM authentication). To get the API bit to function we needed to follow the guidance in https://my.f5.com/manage/s/article/K00943512 But we aren't that far down the route with InTune and, without pushing that certificate, we got the error "Device ID was not found in session variables" (as explained in https://my.f5.com/manage/s/article/K93969130 ) To get working: Azure steps It seems exporting these variables isn't natively available through the GUI although there were some pointers available from Azure AD - SAML - Intune - ismanaged attribute - Microsoft Q&A In short, Navigate to: https://portal.azure.com/ Microsoft EntraID Under Manage > App registrations (this will default to "owned application") choose "all applications" tab Filter by the name of your SAML configuration Manage > Manifest Take a copy of the manifest incase you want to revert (note that it won't let you save it unless it can parse the input) Find the section "optional claims" and inject the following after any groups you pass back: "optionalClaims": { "accessToken": [], "idToken": [], "saml2Token": [ { "additionalProperties": [ "on_premise_security_identifier" ], "essential": false, "name": "groups", "source": null }, { "additionalProperties": [ ], "essential": true, "name": "is_device_managed", "source": null }, { "additionalProperties": [ ], "essential": true, "name": "is_device_compliant", "source": null }, { "additionalProperties": [ ], "essential": true, "name": "is_device_known", "source": null } ] }, To get working: APM steps In the visual policy editor you can now assign variables to those claims of the form: session.logon.last.isknown = mcget {session.saml.last.attr.name.http://schemas.microsoft.com/201 4/02/devicecontext/claims/isknown} session.logon.last.iscompliant = mcget {session.saml.last.attr.name.http://schemas.microsoft.com/201 4/09/devicecontext/claims/iscompliant} session.logon.last.ismanaged = mcget {session.saml.last.attr.name.http://schemas.microsoft.com/201 2/01/devicecontext/claims/ismanaged} So you can end up with a variable assignment box that looks like: (just be careful with copy/paste that it doesn't introduce spaces in the session variables) Then you can do a new general purpose > empty box with a branch rule evaluating: expr {[mcget {session.logon.last.ismanaged}] == "true"} Optionally you can record the output of these variables by adding a logging box with the entry: username=%{session.logon.last.username}, ismanaged=%{session.logon.last.ismanaged}, iscompliant=%{session.logon.last.iscompliant}, isknown=%{session.logon.last.isknown}
is it possible to apply SSO when login page and app run on different device?
I was wondering is it possible to apply a SSO when we using webtop login on BIGIP01 and the application on the BIGIP02? I just tried to understand that the APM profile on webtop login is to collect and cache user identity (when using SSO Mapping) and APM profile on the application virtual server is to post the cache that been stored before. is it possible to pass this session on BIGIP01 to BIGIP02 to make sure the SSO working properly?
APM Session timeout splash
Hi All, We are using APM as oauth client to provide SSO for applications hosted behind LTM, the problem we are facing now F5 is not automatically providing any sign about session timeout, user has to refresh the screen to get the authentication page again is there anyway to implement the timeout splash same as above for max session timeout ? any hit will be appreciatedForm-based Client-initiated SSO - does NOT inject JS
Hi, i'm writing this article since i had this issue and i couldn't find any documentation to this behavior so i hope this can save you guys some time. My issue was that after configuring Client-initiated SSO and trying to run it i could see that APM identifies the request and match the form but for some reason i couldn't find any signs of Auto/Custom JS injected in the response. also couldn't find any logs (Debug) indicating the problem. After working with support the reason for that was a missing "Content-Type" header in HTTP response of the login request (in my case it was QlikSense app) the next thing you think is - Ok i'm gonna add it in HTTP_Response irule event but according to support the an additional VS is required to make it work (probably due to sequence of events). I decided to try the irule (HTTP::header replace ) on the same VS and guess what ? it worked! Enjoy
SSO is not working in one of our applications
Hi DC Experts, We are having issue with SSO wherein it is not working, here is the URl of link configured as portal access. https://fs.apmn.org/adfs/ls/idpinitiatedSignon.aspx?loginToRp=http://www.workday.com/mundipharma&done=http%3A%2F%2Fwd3.myworkday.com%2Fmundipharma%2Fd%2Fhome.htmld%3FdeepLinkFetched%3Dtrue%26anchorDeepLink%3Dhttps%253A%252F%252Fwd3.myworkday.com%252Fmundipharma%252Fd%252Fhome.htmld -Nat
