NimbostratusAPM SAML with Kerberos - Basic Auth changing domain name
I have APM setup as Idp with Service-Now as SP with Kerberos and basic auth setup. It is working as expected (except for SLO but that's another story). I'm running 11.4.1 HF7. We recently merged with a different company which of course has a different AD domain name. Because of some special requirements I can't just setup cross domain auth. So lets say I have us.example.com (my original domain) and now them.example.com. All the users in them.example.com actually have userid's in us.example.com but they use their them.example.com userids to login by default. So when they hit the service-now URL, kerberos auth fails and a login box pops up asking for credentials. If the uesr simply puts in us.example.com\userid, authentication will succeed, but the users cannot be expected to know that. So I am trying to find a way to rewrite the domain from d2.example.com to ds1.example.com. It is acceptable for the login box to up, they just want to enter their us.example.com userid without the domain portion.
Here is the current Access policy:
I use the "AD Query Kerberos Auth" to get the userPrincipalName=%{session.logon.last.username} so I can use %{session.ad.last.attr.sAMAccountName} in the SAML assertion.
I can't use a webtop because the users want to login seamlessly when they go to the service-now link. I did find a possibility here
where there is a reference to using a Sharepoint page for the login and use a link like this:
You can put the following link on your Jive or SharePoint in our case page and user we not see the web top portal. Salesforce Login https://sso.mydomain.com/saml/idp/res?id=//saml_idpsvc_salesforce_stg_01
Log out https://sso.mydomain.com/vdesk/hangup.php3
However I'm not sure that will work either. Any thoughts would be welcome. Thanks in advance...
