Bypass Azure Login Page by adding a login hint in the SAML Request

Problem this snippet solves:

Enhance the login experience between F5 (SAML SP) and Azure (SAML IDP) by injecting the "email address" as a login hint on behalf of the user.

This enhances the user experience because it allows to bypass the Azure Login Page and avoids the user to type two times his login/email address.


Example of use

Your application need to be accessed by both "domain users" and "federated users".

Your application is protected by the F5 APM with a "Login Page" that asks for the user "email address". Based on the "email address" value you determine the domain:

  • if the user is a "domain user", you authenticate him on the local directory (AD Auth, LDAP Auth or ...)
  • if the user is a "federated user" (such as xxx@gmail.com), you send him to the Azure IDP that will manage all federated access

This snippet is particularly interesting for the "federated user" scenario because:

  • without this code, a "federated user" will need to type his "login" twice. First time on "F5 Login Page" and the second time on "Azure Login Page"
  • with this code, a "federated user" will need to type his "login" only on the F5 Login Page


How to use this snippet:

  1. Go to "Access > Federation > SAML Service Provider > External IDP Connectors" and edit the "External IdP Connectors" object that match with the Azure IDP app.
  2. On the "Single Sign On Service Settings" add at the end of the "Single Sign On Service URL" the following string "?login_hint=" as shown in the picture below.



The string "?login_hint=" is added here only to be able to uniquely identify it later by the iRule and replaced it.

3. Finally, apply the iRule below on the VS that has the Access Policy enabled and for which the SAML SP role is attributed and is binded to the Azure IDP application. The iRule will simply catch the "Single Sign On Service URL" and replace it with "?login_hint=xxxx@gmail.com".

Code :

when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}

when HTTP_RESPONSE_RELEASE {    
    if { [string tolower [HTTP::header value "Location"]] contains "/saml2/?login_hint="} {
        set user_login [ACCESS::session data get "session.logon.last.mail"]
        #log local0. "Before adding the hint [HTTP::header value "Location"]" 
        set locationWithoutHint "?login_hint="
        set locationWithHint "?login_hint=$user_login"
        HTTP::header replace Location [string map -nocase "${locationWithoutHint} ${locationWithHint}" [HTTP::header Location]]
        #log local0. "After adding the hint [HTTP::header value "Location"]" 
    } 
}

Tested this on version:

No Version Found
Published Mar 06, 2020
Version 1.0

Was this article helpful?

5 Comments

  • hi jad 

    in my case , in first logon page i entered my credential ,then microsoft also asking the second time same login credential because of saml idp and then its goes MSFT authenticator app for approval.

    can you suggest how to bypass second time microsoft login page ,my requirement is ,first time credential entered then i will go to MSFT authenticator app for approval (not for MSFT login page) 

     

     

     

  • Sorry for the late answer, hope fully you find a way to implement this. 

    If not, you need to provide more info about your environment. Is your Azure federated with your Big-IP ? Are you using Password Hash Sync (PHS) ? 

    Regards 

  • Hi Jad, 

    it's seems this senario apply after the sesssion established and VEP completed, and enduser try to login to App require the same credintional already used to Auth VEP"Access Policy", which can be done using SSO 

    My senario same as "Yesh"

    -> enduser start the Access policy sesssion with ADuth using U/P - ADQuery - SAMLAuth "To check device i.e compliant , SSO" which used the same login credintional 

    but the issue here is when the SAML Auth start i't's open session on browser "HTTP" and cant pass the username and password to it