Forum Discussion

Ty_John's avatar
Ty_John
Icon for Nimbostratus rankNimbostratus
Aug 06, 2020

LDAP Query to retrieve results of another account

I have a customer who has multiple test accounts for an application where the BIG-IP is the IdP and the application is the SP. Rather than giving these account credentials out to staff, they have asked if there was a way to impersonate a user after authenticating as yourself.

 

For example:

  1. NTLM authenticate as currently logging in user.
  2. Check that user is in group "Allow Impersonate"
  3. Show logon page allowing user to provide a username to impersonate - no password required
  4. Pass this username through to the SAML assertion to be sent back to the SP

 

So far I have implemented this but it doesn't appear to work correctly - the SP keeps redirecting back to the IdP for authentication and I think it's because I am no doing the LDAP query for the impersonated user. Note that this SAML functionality works just fine when not trying to impersonate a user. The only difference with this new functionality is that I have not included the LDAP Query because it doesn't seem to be possible to run an LDAP Query on behalf of another user.

 

I feel like I may be trying to implement something that's not possible. If anyone has experience with something similar, I'd appreciate hearing about it.

No RepliesBe the first to reply