Yes and no, SanjayP - you are way further in the process than my question... :)
YES: It should know the NameID, but
NO: Not from the AD/LDAP-Lookup, but from the SAML Authnrequest.
Elaboration: My process is:
- User clicks on SP's login page on "authenticate with SAML" and is prompted to enter e.g. his email address
- SP decides to send an Authrequest to our f5, as this is our IdP. THIS CONTAINS THE NAMEID AND THE SUBCECT ATTRIBUTES. Both contain the user's email address
- WHAT I WANT TO DO NOW on the f5: Extract either of those Attributes, treat them (ie. cut the @domain part) and set session.last.username.
- Show a login window with just a password prompt (as we already know the user name).
- NOW do the LDAP authentication, LDAP lookup, and calculating the SAML Attributes for the SP. (Thats's where you think we are already - if I get your post correctly).
- Issue the SAML assertion for the User for connecting the SP.
- SP does - based on the provided SAML attributes - the authorization for his services and grants access accordingly.
So, my question goes to step 3, not to step 5 :)
Cheers,
HP.