For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

f5learn_164388's avatar
f5learn_164388
Icon for Nimbostratus rankNimbostratus
Jul 27, 2014

Accessing SSO Credentials on a webtop link

Here is my setup in VPE Start->Logon Page->SSO Credential Mapping->Webtop and Links Assign ->Allow

 

In the SSO Credential Mapping I have the Variable Assign to get the username and token from logon page.

 

So, my assumption is when I access the webtop and click on the webtop link, I should be able to access the variables(username,password) as auth header. But when I check in fiddler I dont see the session variables. Is my understanding correct?

 

BIG-IP Access Policy Manager (APM)
security

1 Reply

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 28, 2014

    Possibly a few misconceptions:

    1. A webtop link is going to generate an actual 302 redirect to the assigned URL. In a redirect, you can send HTTP headers to the client, but the client won't send them to the destination URL. The only appropriate way to send HTTP headers to an application is if proxied by the BIG-IP.

    2. The SSO credential mapping agent has basically two functions: a) to decrypt the password stored in the secure vault, and b) to generate the session variables used by the various SSO profiles. If you want to pass HTTP Basic, NTLM, or Form authentication data to an internal application, you should probably use the SSO methods. If you want to simply send the user/pass as HTTP headers, you can either use an iRule, or apply an SSO profile and apply the variables to the Header section. The iRule would look something like this:

      when ACCESS_ACL_ALLOWED {
    HTTP::header replace USER [ACCESS::session data get session.sso.token.last.username]
    HTTP::header replace PASS [ACCESS::session data get session.sso.token.last.password]
}