Forum Discussion

Ray_110220's avatar
Ray_110220
Icon for Nimbostratus rankNimbostratus
Feb 15, 2019

How do I pass username from F5 APM SP to RSA idP

I have the following Access Policy on our F5 APM:

 

  1. User connects to the F5 APM which is configured as the SAML SP.

     

  2. F5 APM Authenticates the user against the local AD.

     

  3. If AD Auth is successful, it does a SAML redirect to the external RSA cloud IdP for additional token authentication. The RSA idP prompts for the Active Directory user name and password again fronm the user (It has access to the same AD as the F5 SP)

     

  4. Then does additional SMS token authentication for the user:

     

I need to pass the username that was entered at the F5 Logon page (SP) to the RSA idP so that the end user does not have to re-enter their AD credentials for the additional token authentication at the idP. In other words, cut out step 3 above.

 

I can see from the SAML tracer that when the F5 (SP) redirects the user session to the idP, it is not sending any username by default. How do I get the F5 (SP) to send the username to the RSA idP ?

 

Any help would be much appreciated.

 

1 Reply

  • You F5 acting as the SAML Service Provider (SP) should not be doing direct authentication, that is the job of the Identity Provider (IdP). By its design the SAML SP is not allowed to pass credentials directly to the SAML IdP so to preserve the security of the SAML protocol.

     

    The F5 acting as a SAML SP should redirect the authentication request to the SAML IdP, which the user provided credentials and in your case a second factor authentication and gets a SAML token returned (if successful). The user is then redirected back to the F5 and the token is provided which is validated and access can be provided to the resource which out the F5 ever seeing the users full credentials.

     

    Recommend the following links to learn a little more about this setup:

     

    Following the initial setup if you need Single Sign-On (SSO) for back-end resources you can configure credentials passed from your SAML IdP securely if they support this.

     

    I have been in companies that do not allow this due to internal security policy which made it difficult.