Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

AutoFill username for Office 365 Federation

Hi. This is a simple question but I can't find a solution and ee are just getting started with our F5 implementation. I have deployed the office 365 federation using the f5.microsoft_office_365_idp.v1.1.0 iApp. I've got things working but when it redirects to my login page on the F5 the username field is blank, is this normal? is there any way to get the username from O365 and pre-populate that field?

Thanks for any help Jon

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi. I found that I had to add an additional iRule on the http_request to parse the referer to get the username and then append it to the URI if it contained a username parameter. Here is my final iRule

when HTTP_REQUEST {
     if { [HTTP::uri] starts_with "/saml/idp/profile/redirectorpost/sso" } {
          if { [HTTP::header exists "Referer"] } {
               set received_referer [HTTP::header "Referer"]
               #log local0. $received_referer
               if { $received_referer contains "username="} {
                    #log local0. "referer has username"
                    set username [URI::decode [URI::query $received_referer username]]
                    #log local0. $username
                     HTTP::uri "/saml/idp/profile/redirectorpost/sso?username=[string map -nocase {"@" "%40"}$username]"
               }
               unset received_referer
           }
     }
}
when ACCESS_POLICY_AGENT_EVENT { 
if { [ACCESS::policy agent_id] eq "GetURIusername" } {
    set username [string map -nocase {"%40" "@"} [URI::query [ACCESS::session data get session.server.landinguri] username]]
    log local0. "NewUsername = $username"
    if  {$username != ""} {
         ACCESS::session data set session.custom.foundusername "1"  
         ACCESS::session data set session.custom.upn $username
         ACCESS::session data set session.logon.last.username $username
    }
}
}
0
Comments on this Answer
Comment made 22-Aug-2017 by mike.drennen 268

Is this still working for you? We are needing to implement something like this to autopopulate the username on the F5 logon screen for SP initiated requests.

Thanks,

Mike

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hello,

It's currently not possible to pass attributes in the authrequest.

As an alternative, you may configure SAML IDP initiated authentication. This way, the user complete the authentication process and is then redirected to the O365.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

We got this working in our environment.

The following iRule was used to capture the username from the incoming request from o365.

when ACCESS_POLICY_AGENT_EVENT { 
if { [ACCESS::policy agent_id] eq "GetURIusername" } {
    set username [string map -nocase {"%40" "@"} [URI::query [ACCESS::session data get session.server.landinguri] username]]
    #log local0. "Username = $username"

    ACCESS::session data set session.custom.foundusername "1"   
    ACCESS::session data set session.custom.upn $username
    ACCESS::session data set session.logon.last.username [lindex [ split $username "@"] 0]

}

}

After that we have a branch rule that if session.custom.foundusername = 1 it goes to a logon page with a READ ONLY username field. If it's not set, you get a standard logon page.

If you don't have the username as read only it's not populated.

Note that in our iRule we removed the domain from the input as it caused issues.

HTH

0
Comments on this Answer
Comment made 31-Mar-2016 by Jonathon Page 124
Thanks for the post. I've implemented this as you indicated but my username variable is not being set. I've uncommented the log and its showing that $username is blank. I'm running 11.6.0.442. I've done some HTTPWatch traces and it looks like the URI that I'm receiving doesn't have any parameters. I'm receiving an HTTP post which has the SAML token and a referrer that has the username. I've tried to parse the username from the referrer but I can't figure out how to get from the HTTP_REQUEST iRule to the ACCESS_POLICY_AGENT_EVENT.
0
Comment made 19-Jul-2016 by coreyva 152

Have you gotten this working? Neither the GET nor POST from O365 supply the username so I'm unable to populate the field. The issue must be with my configuration on the O365 side, or they no longer send it.

Edit: Apparently Microsoft no longer sends the username so this doesn't work anymore.

0