NimbostratusI'm using F5 instance in AWS as SP in SAML. IDP is on premise ADFS. Authentication against IDP and assertion from IDP is working fine. How I can forward crendetials (username or email attribute) to the back end application sitting in AWS. Application doesn't support SAML.
Nimbostratus@spalan
I am trying to configure (ADFS as iDP and F5 APM as SP). I couldn't find any documentation and help on it. For you seems like ADFS aseertion and authentication are working. I have APM Policy as
Start -> SAML Auth -> SSO Credentail Mapping -> Allow
Deny
I imported XML file into External Idp Connectors under SAML-> BIG IP as SP
Local SP Services configured as following General Setting ~~~~~~~~~~~~~~~ Name: F5-SP Entity ID: https://login.example.com SP Name Settings: Scheme: https Host: login.example.com
Endpoint Settings: ~~~~~~~~~~~~~~~~~ Assertion Consumer SErvice Binding: POST
Security Settings: Checked "Authentication Request" (certificate and Keys are selected different than ADFS) Checked: Want Signed Assertion Unchecked: Want Encrypted Assertion
Advanced Setting: Unchecked: Force Authentication Checked: Allow Name-Identifier Creation
Name-Identifier Policy Format: urn:oasis:names:tc:SANL:1.1:nameid-format:WindowsDomainQual...
SP Name-Identifier Qualifier: None
I am getting following error: /frontend/F5-SP:frontend:dbad7144: Executed agent '/frontend/F5-SP_act_saml_auth_ag', return value 3 /frontend/F5-SP:frontend:dbad7144: Session variable 'saml./frontend/F5-SP_act_saml_auth_ag.SAMLRequest' set to 'hhhhhhhhhhhhXXXXXX' /frontend/F5-SP:frontend:dbad7144: SAML Agent: /frontend/F5-SP_act_saml_auth_ag SAML assertion is invalid, error: Assertion status is not successful /frontend/F5-SP:frontend:dbad7144: Executed agent '/frontend/F5-SP_act_saml_auth_ag', return value 0 /frontend/F5-SP:frontend:dbad7144: Following rule 'fallback' from item 'SAML Auth' to ending 'Deny'
It depends on how the application needs to receive them. You could inject the values into a header, form fill them, or use Kerberos as examples.
After the SAML Auth agent in the policy you'll have some session variables like:
session.saml.last.nameIDValue (This is the subject NameID)
session.saml.last.attr.name.myattributename (This will be whatever your attribute is named in your ADFS implementation)
You could use those session variables or you use a Variable Assign agent to move them into something else, such as session.logon.last.username or session.sso.token.last.username.
I'd suggest header insert if you have an option as it is simple to build into an application. You can do it with an iRule or a Per Request Policy. In the Per Request Policy insertion method you can leverage the session variable by calling %{session.saml.last.nameIDValue} as the value you're inserting into the header. Then just have your application configured to read that out of the header.
NimbostratusHi Graham,
Thanks for your response. Actually it's kind of complicated splunk is configured for ldap and they have authorization based on groups.
Now I have F5 as SP configured and ADFS as Idp... I able to get above configuration working by unchecking following underSecurity Settings: Authentication Request Want Signed Assertion Unchecked Want Encrypted Assertion
Now challenge is to make splunk use SAML...
Sorry, @Anu Momin, I was commenting on the original question, not your comment, so my answer may not have made sense for your scenario.
A couple things to consider for your scenario...
I would use caution proceeding without enforcing a signed assertion (the "Want Signed Assertion" value). Without that someone may be able to forge an assertion and pretend to be another user.
One possible thing to consider for your situation with the assertion validation issue is that when importing the XML for the external IdP connector it may not have properly imported or attached the ADFS signing certificate. You could go into the external IdP connector and check the "Security Settings" section and see if the IdP Assertion Verification Certificate is selected there.
Regarding the backend auth, it sounds like you're on the right track and moving towards getting Splunk to use SAML auth, since you won't be able to just form fill a logon page that does LDAP on the backend since you don't get the password from ADFS.
NimbostratusGraham, My apology I thought you responded to my comment. So in SP setting I just need to have "Want Signed Assertion" and not to worry about any other stuff?
I have checked and IDP Assertion Verification Certificate has valid Cert.
I went though some options available on Splunk https://docs.splunk.com/Documentation/Splunk/6.5.1/Security/HowSAMLSSOworks and found they have configure SSO with all other providers (AD FS AzureAD Okta) expect f5.
Seems like splunk has option for SAML to work only with IdP I am trying to understand If I have SP how would this will change their config.
-If I got it right with BID IP as SP, BIGIP will send SAML info to backend server and server doesn't need to redirect user again to IdP.
