Hello, I do not find the variables to set in in entry of the VPE Active Directory auth server ... I've tune a logon page with USERNAME set as toto@domain.com Then, when AD auth server it concatenates toto@domain.com with the domain set in the AD profile. Thus even if I check or uncheck the split domain ! If I set it as toto I gor a saml error (seems domain is not correctly set ...) I saw a lot of things everywhere about this subject but can't manage to fix it . Easy for you ? Thanks all and have a good day

Hi, when logon page is defined with split domain enabled, variables will be : toto@domain.com session.logon.last.logonname: toto@domain.comsession.logon.last.username: totosession.logon.last.domain: domain.com domain\toto session.logon.last.logonname: domain\totosession.logon.last.username: totosession.logon.last.domain: domain AD Auth will authenticate user with variables: Username : session.logon.last.usernamePassword : session.logon.last.password if domain is not correctly set, you can assign variables after AD Authentication: session.logon.last.domain = expr { [mcget {session.ad.last.actualdomain}]}

hey ... it's getting better with the variables but I now get a problem with the SAML means AD ans SSo are ok but the adfs request return an error anyway thanks for your help !

Was SAML working with another configuration?

Hello, see my comment in the attached file ... it was detected as spam :-)

HI, Yes the SAML works when I don't try to change the value USERNAME of the logon page. If I fill the USERNAME value of the logon page with the information I catch in the URL (via an irule) then AD authent works but saml failed. I guess than, doing that (changing USERNAME value), I have also changed other requested values going to the saml : strange (for me) As a reminder I'm trying to implement the ADFS rule on the BIGIP-F5 It run well but the logon page is not pre-filled with the username value givin by the user when connecte to portal.office.com So I have set an irule which get the username and pre-fill the logon page But doing that saml no more run ! I'm not so long of the success but I'm blocked on this problem. cu

VPE logon page : how to set correctly USERNAME and DOMAIN prior to call the AD ...

12 Replies

Stanislas_Piro2
Cumulonimbus
Dec 09, 2015
Hi,

when logon page is defined with split domain enabled, variables will be :

toto@domain.com
session.logon.last.logonname: toto@domain.com
session.logon.last.username: toto
session.logon.last.domain: domain.com

domain\toto
session.logon.last.logonname: domain\toto
session.logon.last.username: toto
session.logon.last.domain: domain

AD Auth will authenticate user with variables:

Username : session.logon.last.username
Password : session.logon.last.password

if domain is not correctly set, you can assign variables after AD Authentication:

session.logon.last.domain = expr { [mcget {session.ad.last.actualdomain}]}
Letendart
Nimbostratus
Dec 09, 2015
hey ... it's getting better with the variables but I now get a problem with the SAML

means AD ans SSo are ok but the adfs request return an error

anyway thanks for your help !
- Stanislas_Piro2
  Cumulonimbus
  Dec 09, 2015
  Was SAML working with another configuration?
- Letendart
  Nimbostratus
  Dec 10, 2015
  Hello, see my comment in the attached file ... it was detected as spam :-)
- Letendart
  Nimbostratus
  Dec 10, 2015
  ok I reformat my message and no more spam ... seems it was the hyphen
Letendart
Nimbostratus
Dec 10, 2015
HI, Yes the SAML works when I don't try to change the value USERNAME of the logon page. If I fill the USERNAME value of the logon page with the information I catch in the URL (via an irule) then AD authent works but saml failed. I guess than, doing that (changing USERNAME value), I have also changed other requested values going to the saml : strange (for me) As a reminder I'm trying to implement the ADFS rule on the BIGIP-F5 It run well but the logon page is not pre-filled with the username value givin by the user when connecte to portal.office.com So I have set an irule which get the username and pre-fill the logon page But doing that saml no more run ! I'm not so long of the success but I'm blocked on this problem. cu
- Stanislas_Piro2
  Cumulonimbus
  Dec 10, 2015
  If you want help, share the irule, the VPE screenshot and box properties (without information about your company).

Letendart

Nimbostratus

Dec 10, 2015

Salut Stanislas, OK I finally found MY problem ... It was a bit stupid : to get a value Inside the uri I had changed the uri itself ! So and then when it goes to the adfs server, request has failed.

I corrected my error, remains me to be sure I'm using the correct variables : I'm using GLOBAL one,

that's good practice ?

When HTTP_REQUEST {
  set namevals [split [HTTP::query] "&"]
  for {set i 0} {$i < [llength $namevals]} {incr i} {
    set params [split [lindex $namevals $i] "="]
    set pnum [expr $i+1]
    if { [lindex $params 0] contains "username" } 
       { set static::tmp_username [string map -nocase {"%40domaine-test.com" ""} [URI::query [HTTP::uri] [lindex $params 0]]]
    }
  }
}

when ACCESS_POLICY_AGENT_EVENT {
  switch [ACCESS::policy agent_id] {
    "O365_USERNAME" {
      ACCESS::session data set session.custom.username $static::tmp_username
    }
  }

}

Stanislas_Piro2

Cumulonimbus

Dec 10, 2015

Hi,

the use of static variable is wrong as static variables are shared between all virtual servers and connections.

try this irule doing the same:

when ACCESS_SESSION_STARTED {
set uri [ACCESS::session data get session.server.landinguri]
set query [URI::query $uri]
set namevals [split $query "&"]
  for {set i 0} {$i < [llength $namevals]} {incr i} {
    set params [split [lindex $namevals $i] "="]
    set pnum [expr $i+1]
    if { [lindex $params 0] contains "username" } 
       { ACCESS::session data set session.logon.last.samluser [string map -nocase {"%40domaine-test.com" ""} [URI::query $uri [lindex $params 0]]]
    }
  }
}

I checked it successfully:

 sessiondump -allkeys
e5b4ff31.session.logon.last.samluser 4 titi
e5b4ff31.session.server.landinguri 38 /?terldfkndlfusernamefgjlhgdflkjg=titi

Stanislas_Piro2

Cumulonimbus

Dec 10, 2015

The following irule may do the job as Office 365 request the username as parameter... there is no need to do the foreach loop:

when ACCESS_SESSION_STARTED {
    set uri [ACCESS::session data get session.server.landinguri]
    set username [URI::decode [URI::query $uri username]]
    if {$username ne ""} { 
        ACCESS::session data set session.logon.last.samluser [getfield $username "@" 1]
    }
}

Letendart
Nimbostratus
Dec 10, 2015
ouaou beautiful ... I'm trying all of this

Letendart

Nimbostratus

Dec 10, 2015

Merci Stanislas, it run perfectly with your last proposal, means :

when ACCESS_SESSION_STARTED {
    set uri [ACCESS::session data get session.server.landinguri]
    set username [URI::decode [URI::query $uri username]]
    if {$username ne ""} { 
        ACCESS::session data set session.logon.last.samluser [getfield $username "@" 1]
    }

}

I just had to adapt for my precises concerns. Thanks a lot for your help, I'm now more at ease with the irules, variabl assigns and contexts ... cu

Forum Discussion

VPE logon page : how to set correctly USERNAME and DOMAIN prior to call the AD ...

12 Replies

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

Enriching AFM with public domain Threat Intelligence

WSS LTM not passing data correctly

domain blocking

Persist connection based on NTLM username

Making Android SSL Work Correctly.