APM with SAML for some, AD for others

Question

How do I use SAML for some users, but AD authentication for others.&nbsp;
I have a lab setup where I am using SAML to authenticate to a web page.  My F5 SP provides a login page which asks for email address.  My policy looks like this....&nbsp;
&nbsp;
Under BIgIP as SP I have a binding that binds my IdP with %{session.logon.last.domain} and a domain name.  This functions correctly.&nbsp;
I would like to use the domain part of the email address to determine if SAML is required or AD authentication is required but I can not figure out how to add an AD authenticated domain as a SAML binding.  I have been told that maybe a 'empty box' agent could help but I have not been able to find an example of its use.&nbsp;

niels_van_sluis · Answer

You could extract the domain from the email address and set it with a 'variable assign'. Use  something like this:
session.logon.last.domain = expr { [lindex [split [mcget {session.logon.last.username}] "@"] 1] }

Then you can create an 'Empty Action' to create a Domain Decision box, to do either SAML auth or AD auth. For an example see:
https://devcentral.f5.com/articles/apm-cookbook-multiple-domain-authentication-part-1

Forum Discussion

APM with SAML for some, AD for others

1 Reply

Recent Discussions

google-visualization-issues

The best load balance method on this scenario?

SMS server with BIGIP

Geo Fence in ASM through irule for URI

Client certificate Authentication - open multiple tabs

Related Content

Trying to Fill Some Giant Shoes...

How to limit some snmp mib access

Some Services are More Equal than Others

Some of vCMP Guest is not shown on the Guests Status Page.

Server monitoring - some differences between BIG-IP and NGINX