APM is not forwarding authentication token to ADFS

Question

Hello experts,&nbsp;
we configured ADFS on F5, in deployment guide, the name is Securing AD FS with the BIG-IP APM.
Customer had another demmand, to authenticat with UPN only, not with SAMACCOUNTNAME. So I changed AD authentication to LDAP. User is able to authenticate via APM, but authentication token is not forwarded to ADFS. ADFS then see user as not authenticated and is not showing correct web page.
I think, that problem is somewhere in policy editor, but not sure where. Could you please advice?&nbsp;
&nbsp;
In LDAP search filter, I setup: UserPrincipalName=%{session.logon.last.username}, in SSO credentials mapping, we have:
SSO Token Username - Username from Logon Page, SSO Token Password - Password from Logon Page.&nbsp;
Thank you for help&nbsp;
Roman&nbsp;

josiah_39459 · Answer

Since the LDAP auth applies only to the Access Policy, it has no bearing on the backend server.  It sounds to me like your problem is likely in the SSO.&nbsp;
You didn't say what type of SSO you are using, but if it is expecting the samaccountname and you are sending the UPN and they are different, it's obviously going to fail, right?&nbsp;

bigfoot · Answer

Yes, I am using NTLMv1, sorry forgot to add here. and setting is default.Just domain is different.
According to application team, they cannot see any authentication attemp on ADFS

josiah_39459 · Answer

Well, a packet capture and websso logs (potentially debug) will tell you for sure.  NTLM's just a http header.  But it seems as a bare minimum you have to fix your SSO credential assign to be valid.

bigfoot · Answer

It takes some time, but I did packet capture, decrypt traffic, but it  seems that user's credentials are not added to the NTLM header, so they are not passed to ADFS. Does anybody know please, how the correct setup should looks like for ADFS with authentication based on UPN and not SamAccountName?

stanislas_piro2 · Answer

Hi,&nbsp;
If you configured SSO with Kerberos, requirements are:&nbsp;
SSO username must be the sAMAccountName user attributesession.logon.last.domain must be configured with domain FQDN
to authenticate with UPN with AD Auth, you can configure a AD query first with:&nbsp;
UserPrincipalName=%{session.logon.last.username}
attributes : 
samaccountnamememberof

Then Configure a variable assign to :&nbsp;
assign session.logon.last.username with AD attribute sAMAccountName.assign session.logon.last.domain with variable session.ad.last.actualdomain
After this box, you can authenticate user based on the new username variable, and Kerberos is configured with expected variables.&nbsp;

Forum Discussion

APM is not forwarding authentication token to ADFS

6 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

iControl REST Authentication Token Management

Demystifying iControl REST Part 6: Token-Based Authentication

Google Authenticator Soft Token Generator

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

Google Authenticator Token Verification iRule For APM