Forum Discussion

Torijori_Yamamada's avatar
Torijori_Yamamada
Icon for Cirrus rankCirrus
Jun 17, 2026

A Method for Auth and SSO

Recently, we discovered Cyberark has moved from the traditional HTML based auth page to the new JavaScript based. So, our client initiated sso method isn't working anymore. Webssso process could not identify the html form objects because there is no html form anymore. The new design relies on a bunch of JavaScripts which coordinates client browser to send requested data to be able to login. I never interested in JS and could not point out where the user credential comes into play either.

I've found out another method to make SSO function work again. It is very basic and relies on the sideband method but i prefer to use http auth agent rather than sideband iRule. Since the "Http Auth" profile can store the http status code along with the cookies of the HTTP request we made, we can use it for basic jobs as "Sideband Http Requestor" 

Long story short, basically we sent crafted login request to auth page and it returns a couple of cookies[1] if credentials are valid. Then we sent those cookies to the client as a reponse. That is all.

An iRule with two distict function is good enoug for this particular job. One function is to prepare json payload which we sent to the web service and the other one is parse the cookies from the response of the web service.

You need a custom "HTTP Auth" profile. You can take a look at the below[2] as an example. HTTP Auth profile can be used only with http services not https. In order to use Http Auth profile for sending & receiving http messages to an https web service, you need to use a http2https virtual server which translates requests and responses. In my example[2] i sent http requests through a fake virtual server which is listening on "54.54.54.54:80" socket. The cyberark servers are attached in the pool behind this virtual server.

I used this method for Grafana first around a year ago and it is still working. The grafana has similar login page which relies on JS.

Here is my iRule:

when CLIENT_ACCEPTED {
   ACCESS::restrict_irule_events disable
}
when ACCESS_POLICY_COMPLETED {
   if {[ACCESS::session data get {session.policy.result}] == "allow" } {
         log local0. "APM Session Started Successfuly in [ACCESS::session data get {session.user.sessionid}] for [ACCESS::session data get {session.logon.last.username}]"
         log local0. "APM DEBUG: Policy Complete Cookies: $respCookie_0 $respCookie_1 $respCookie_2"
         ACCESS::respond 302 Location "https://testpam.example.com/PasswordVault/v10/Accounts" "Connection" "close" "Set-Cookie" ${respCookie_0} "Set-Cookie" ${respCookie_1} "Set-Cookie" ${respCookie_2}
   }
}
when HTTP_REQUEST {
   if {[HTTP::has_responded]} { return }
   if {[string tolower [HTTP::path]] == "/logoff"} {
       set sid [ACCESS::session data get {session.user.sessionid}]
       log local0. "Logging out from [ACCESS::session data get {session.user.sessionid}] for [ACCESS::session data get {session.logon.last.username}]"
       HTTP::respond 302 noserver Location "https://testpam.example.com/PasswordVault/v10" "Connection" "close" "Set-Cookie" "CA11111=; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/PasswordVault/; secure; HttpOnly; SameSite=Strict" "Set-Cookie" "CA22222=; expires=expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/PasswordVault/; secure; HttpOnly; SameSite=Strict" "Set-Cookie" "CA66666=; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/PasswordVault/; secure; HttpOnly; SameSite=Stric"
       ACCESS::session remove -sid $sid
   }
}
when ACCESS_POLICY_AGENT_EVENT {
    if {[ACCESS::policy agent_id] == "LoginSessionCreate" } {
       # Generate JSON payload to sent the Cyberark v10
       set uname [ACCESS::session data get {session.logon.last.username}]
       set passwd [ACCESS::session data get -secure {session.sso.token.last.password}]
       log local0. "APM DEBUG: User: $uname : $passwd"
       
       set payload {{"username":"UUUU","password":"PPPP"}}
       set cred "UUUU $uname PPPP $passwd"
       set payload [string map "$cred" $payload]
       
       log local0. "APM DEBUG: Payload $payload"
       ACCESS::session data set session.custom.http.payload $payload
    }
    if {[ACCESS::policy agent_id] == "CookiePreperation" } {
       #### HTTP Auth ####
       if {([ACCESS::session data get {session.http.last.response_cookie}] != "") && ([ACCESS::session data get {session.http.last.response_status}] == 200) } {
           # HTTP Auth Succeed
           set cookies [ACCESS::session data get {session.http.last.response_cookie}]
           log local0. "APM DEBUG: Raw Cookies: $cookies"
           set cookies [string trimright [string map { \\r\\n @ } $cookies] "@"]
           set cookies [split $cookies '@']
           log local0. "APM DEBUG: Cookies Now: $cookies"
           set listCount 0
           foreach cookie $cookies {
              if {![string match CA* $cookie]} { continue }
              log local0. "APM DEBUG: listCount: $listCount Cookie: $cookie"
              set respCookie_${listCount} $cookie
              incr listCount
           }
           log local0. "APM DEBUG: Total listCount: $listCount RespCookie: $respCookie_0 $respCookie_1 $respCookie_2"
       }
    }
}

 

I also have attached a screenshot of the APM policy. In that APM policy the "GrafanaLogin" is the HTTP Auth agent. Logging lines in the iRule can be suppressed as per your needs.

 

Hope this is helpful for someone. 

 

[1]: Cookie names are: "CA11111", "CA22222", "CA66666"

[2]: 

apm aaa http /Common/CyberArk_Login {
    auth-type custom-post
    connection-timeout 3
    content-type none
    custom-body "%{session.custom.http.payload}"
    form-action http://54.54.54.54/PasswordVault/api/login/
    headers {
        header0 {
            name Content-Type
            value application/json
        }
    }
    request-timeout 5
    success-match-type cookie
    success-match-value CA11111
}

 

May the source be with you...

No RepliesBe the first to reply

Recent Discussions