Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

SAML: APM as Service Provider (SP) role - is it possible to do SSO credential mapping to the backend server?

Hi I would like to setup the APM as Service Provider, having an external IdP. What I would like to do is pass the SAML token I receive, on to the backend server. The reason is that the SharePoint server needs credentials also of the user and the SharePoint is configured using ADFS.

Any one any clue?

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Is your SharePoint federated with ADFS and are you running in claims mode? I have the F5 as a SP to SharePoint but I don't have ADFS. Realistically you might be looking to have F5 be an SP to ADFS depending on the flow of things and answer to some of the questions I put. Since this get some complex you should try to put a more detailed message about your environment and what you're trying to do. I have the following F5 SP that bounces to an F5 IdP (to pick up SSO from our dedicated SSO virtual server/apm) I have a virtual server for SharePoint that I put an access policy that does an SAML Auth (to the IdP) once it's authenticated against the IdP I take the information out of the SAML attributes put the the user name and pwd into the SSO session variables and do a SSO NTLM configuration to SharePoint. I'll post more details if this solution works for you.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Sounds a great solution! Could you post more details?

0
Comments on this Answer
Comment made 26-Feb-2014 by kj07208 284
Actually I was just reading some of your posts on NTLM, great stuff! I think you and I are working something very similar.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I'll leave out our SSO hub. Image Text Depending on your requirements use an iApp Template to create your SharePoint components. Break the strict inheritance.

Create SAML SP for SharePoint but this is the flow that we have. Image Text do your security certs on the security settings screen. Export this out you'll need this later. (If you want F5 to be the IdP follow these steps) * Create a SAML IdP Service, then click the bind button and import that exported metadata from your SP. Once the IdP service is complete export the IdP and go back to the SP Service. For the SP Service click bind and import metadata from the IdP metadata file.

Create an access policy for your SharePoint server. Image Text

There are a few other steps I will try to compile all of this into a document.

0
Comments on this Answer
Comment made 26-Feb-2014 by EmBee 206
great stuff! I am getting the picture!
0
Comment made 18-Mar-2014 by Greg 103
@KJ. I am trying to set this exact infrastructure up now. I plan on standing up an ADFS environment to integrate with sharepoint and have APM act as the SP with an external IdP providing the SAML assertion. Any more documentation you put together on how you set this up would be extremely helpful. Thanks!
0
Comment made 03-Jan-2017 by AN 165

@ kj07208 I have following APM: Start -> SAML Auth -> SSP Credential Mapping -> Allow

                                     -> Deny

I had XML file from ADFS and upload into External IdP connections under Access Policy-> SAML -> BIGIP as SP. Under Local SP service General Setting: I have entity ID as https://xyz.com (application URL)

SP Name settings: Scheme: https Host: xyz.com

Security Setting: (As I can see only certificate as added when I uploaded XML file from ADFS) Unchecked: Sign Authetication Request Checked: Want Signed Assertion Unchecked: Want Encryption Assetiion

Advance Setting Unchecked: Force Authetication Checked: Allow Name-Indentified Creation

Name-Identified Policy Format: Null SP NAME-Identified Qualified: Null

I am getting following error in logs:

/frontend/F5-SP:frontend:dbad7144: Executed agent '/frontend/F5-SP_act_saml_auth_ag', return value 3 /frontend/F5-SP:frontend:dbad7144: Session variable 'saml./frontend/F5-SP_act_saml_auth_ag.SAMLRequest' set to 'hhhhhhhhhhhhXXXXXX' /frontend/F5-SP:frontend:dbad7144: SAML Agent: /frontend/F5-SP_act_saml_auth_ag SAML assertion is invalid, error: Assertion status is not successful /frontend/F5-SP:frontend:dbad7144: Executed agent '/frontend/F5-SP_act_saml_auth_ag', return value 0 /frontend/F5-SP:frontend:dbad7144: Following rule 'fallback' from item 'SAML Auth' to ending 'Deny'

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I need more information on this exact solution for multiple applications. Can anyone assist?

I am looking into SAML with an external IdP, SP on the F5. Back end applications vary in auth types. Looking into implementing ADFS to be consumed on the server/app side. I am curious how SAML gets mapped to NTLM as mentioned above. I thought SAML could only be mapped to Kerberos constrained? How do we get a PW out of SAML?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

Were you able to map the credentials from SAML (F5 SP) to backend NTLM app?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

When working with APM as SP, the password is not included in saml token!

NTLM, BASIC or form based sso are not supported!

The best solution is to use Kerberos SSO because it doesn't require password!

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

But if I am able to send the password as an encoded SAML attribute in the assertion, cant that be extracted using iRule, decoded and insert as a session.logon.last.password and mapped as an SSO credentials mapping attribute?

0
Comments on this Answer
Comment made 14-Sep-2017 by Kees van den Bos 814

Why use SAML if your backend already knows the username and the password........

0
Comment made 14-Sep-2017 by Pushpendu Biswas 53

The purpose is to use the F5 SP as the landing/gateway and use it as an auth broker as multiple backend applications with varying requirements - like OWA and custom IIS apps with NTLM. The F5 SP should be posting the creds to the backend app here with NTLM/forms auth. With the following iRule, I can get the user identity and any attribute in the SAML but not password. I wonder if F5 is stripping/blocking the key word "password" in the attribute or something is wrong with my b64decode.

Any help is highly appreciated.

====================================================================================

when ACCESS_ACL_ALLOWED {

        set username [ACCESS::session data get session.saml.last.identity]
        set password [b64decode [ACCESS::session data get session.saml.last.attr.name.password]] 
        log local0. "Username -$username, Password - $password"       
}
when ACCESS_SESSION_STARTED {
    if { [ info exists username ] } {
        ACCESS::session data set session.logon.last.username $username
    }
        if { [info exists password] } {
        ACCESS::session data set session.logon.last.password $password
    }
}
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I’m working on using F5 as a SAML idP and I need to emulate a SaaS as SP. I faced a lack of knowledge a round related to how to create such lab “the application demo” to use it as a SP

0