Kerberos and APM-based SAML IdP
I am stuck getting transparent Kerberos authentication to work with my F5 APM-based SAML IdP. The user's first access to the IdP is successfully transparently authenticated. Following session expiry however, when the user is redirected back to the IdP to login again, they are prompted for credentials.
Has anyone managed to get Kerberos to work nicely with the APM SAML IdP? I am using version 12.0.
I have worked out why the prompt happens; on the first authentication the client is sent 401 Unauthorized and then from that point onwards sends Authorized headers. After session expiry, the user is redirected back through the IdP and is sent 401 Unauthorized again. This causes Internet Explorer to prompt the user for credentials.
As best as I can determine...
- there is no way in the HTTP standard to tell a client that has started sending Authorized headers to stop.
- the IE ClearAuthenticationCache command makes IE stop sending Authorized headers and resolves the issue with Kerberos authentication, but it also clears the session cookies for the SP, and all the users other cookies too, so this is not a solution.
- there does not seem to be a way to make the F5 use the Authorized header that the client already provided.
- the HTTP 401 Response block seems to be required. I tried working around it (by checking if the session started with Authorization and if so branching directly to a Kerberos Authentication block without a HTTP 401 Response block) and received an error "USession::scheduleExecLastAgent() - can not found the agent".
- I tried a few different ways to "hack" the response without success.
I would really appreciate any assistance to get this working.
Thank you,
Evan