Forum Discussion

Johan_Lång's avatar
Johan_Lång
Icon for Cirrus rankCirrus
Jan 20, 2020
Solved

ADFS Proxy without password

Hello!

 

When a SP-initiated federation is initiated and the user gets to BIGIP APM you normally use a Logon page and send their credentails to ADFS with a "forms client initiated SSO".

 

But imagine a scenario when your users is authenticated through a "SAML Auth", BIGIP only has access to their username. When BIGIP tries to pass credentails with forms client initiated sso this fails because BIGIP is unaware of the password and therefore redirected to ADFS Form-based login page.

 

Is there any workaround for this ? One workaround is to throw up a logon page after a successfull saml auth but I need a passwordless logon for my purposes.

 

Regards,

Johan

APM
application delivery
BIG-IP
  • Johan_Lång's avatar
    Johan_Lång
    Feb 05, 2020

    I figured it out. You need to configure a new claims provider (in this case BankID) and make it available to the RPs. Then you need to make BIGIP to choose wether to use the new CP or Active directory with an iRule.

6 Replies

Sort By
  • Leonardo_Souza's avatar
    Leonardo_Souza
    Icon for Cirrocumulus rankCirrocumulus
    Jan 20, 2020

    Encrypt the SAML assertion (as it will be in the person browser), and pass the password as attributes in the SAML.

    Extract the SAML attribute and add the value to the password variable in APM.

    • Johan_Lång's avatar
      Johan_Lång
      Icon for Cirrus rankCirrus
      Jan 21, 2020

      But there is no password to encrypt? The external idp only provices us with a "personal identity number" in the saml. Neither does these users has any account in our AD.

  • Leonardo_Souza's avatar
    Leonardo_Souza
    Icon for Cirrocumulus rankCirrocumulus
    Jan 21, 2020

    The external IDP needs to send you not only the "personal identity number" but also the password.

     

    So, you need to do SSO with username and password, but you only have username.

    The IDP needs to provide you the passwod in the SAML assertion, or you need to ask the user using a logon page as you already said.

    • Johan_Lång's avatar
      Johan_Lång
      Icon for Cirrus rankCirrus
      Jan 23, 2020

      Here in Sweden we have something called "BankID" issued by our banks. This enables a 2fa, The bank issues a certificate and the user has a pincode. Together with this method you can federate with saml as in our case, bankid sends only The personal identity number back as a subject name.

      Thats it. There is no password to begin with. And no, its not possible to send over the pin code and that would not matter anyhow.

      Ive read alot of posts about adfs proxy, and tried to figure out wether you can make big-ip send a kerberos token (or something else that would fit) or not, but it seems adfs proxy is very limited.

      /Johan

  • Leonardo_Souza's avatar
    Leonardo_Souza
    Icon for Cirrocumulus rankCirrocumulus
    Jan 24, 2020

    If the iDP can't send you the password, and I understand why not, you can't use the username and password to authenticate to the internal application/service, that in this case is ADFS.

     

    Unless you can setup ADFS as SAML SP for that external iDP, or ADFS can accept what you receive in the SAML assertion (BankID for example) for authentication, I don't see any valid option.

  • Johan_Lång's avatar
    Johan_Lång
    Icon for Cirrus rankCirrus
    Feb 05, 2020

    I figured it out. You need to configure a new claims provider (in this case BankID) and make it available to the RPs. Then you need to make BIGIP to choose wether to use the new CP or Active directory with an iRule.