NimbostratusLooking for a way to use NTLM to basically bypass the F5 APM login page?
The overall goal… ADFS can auto-authenticate users to Salesforce if they are on our LAN and a member of the domain via IWA/NTLM. With the implantation of APM users now have a portal even if they are local domain users.
Has anyone created an access policy to duplicate this process flow?
Thanks!
CirrusWhat kj07208 described above would work with Kerberos End-User auth, as the HTTP 401 Response can only be used in conjunction with Basic or Kerberos Auth scenario. If Kerberos auth is sufficient for you, you can try the setup based on this documentation here
If you want to use NTLM, you can follow the description of how to set it up here
Your setup would differ from the documentation as you don't need to setup Kerberos SSO on the backend for your use case - simply extracting username from the NTLM Auth should be sufficient and then you can use it in the SAML assertion to send to SalesForce.com, etc.
NimbostratusThanks guys! I am going to test this out and will update. My desire is to just use NTLM, so I am going to run with that option first.
NimbostratusCirrusI just did a write up on this here:
https://devcentral.f5.com/articles/leveraging-big-ip-apm-for-seamless-client-ntlm-authentication
NimbostratusHi Michael,
Excellent !
We'll test it right now
Regards
NimbostratusMichael, We have implemented the solution you provided. The problem we keep running into is the NTLM username variable is always blank. I have added several message box's throughout the flow and everything passes except the very last step which is the AD Query. I have tested via several browsers and firefox seems to work the best for us. One time we made some changes to browser settings and for one session we were able to see the username variable was set. Out of hundreds of tests only one time have we seen the username variable get populated.
Thoughts?
Cirrus