For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

AP_129594's avatar
AP_129594
Icon for Nimbostratus rankNimbostratus
Aug 14, 2014

APM - Cross domain support

I have an APM portal that was design for 2 domain users to login with different sharepoint resources. Domain B trusted domain A and I can easily use split domain at login and cross domain support. Here is the challenge that domain users B should never know anything about their domain other than their userID. So here is the design:

         |(/DomainA) --> Logon Page --> SSO Credential Mapping --> AD Auth (against domain A)

Landing URI -|(fallback)--> Logon Page --> SSO Credential Mapping --> AD Auth (against domain B)

This become an issue when users from Domain A logoff, it will redirect back to the root of the login page which will eventually query against domain B.

Anybody could help with an iRule to detect and redirect DomainA users back to the same landing URI after they logoff? Or maybe a better solutions?
application delivery
BIG-IP Access Policy Manager (APM)
devops
iRules
security

2 Replies

  • AP_129594's avatar
    AP_129594
    Icon for Nimbostratus rankNimbostratus
    Aug 20, 2014

    Thanks for the response. I have crossed this path above but the business required the external users from DomainB to NOT knowing their domain name or email address via UPN. If it was domainA trust domainB, then I can just do AD query against domainB and tell domainA users to specify their UPN logon. I think the easiest solutions is to keep the same policy with different landing URI, but redirect the logout session to a hosted html page that has links to different landing url.

     

  • kj07208_118528's avatar
    kj07208_118528
    Icon for Cirrus rankCirrus
    Aug 20, 2014

    What about using the trail and fail method when the user enters their user name set the domain to domainB\userX and do a query if you get no results back failback to querying domainA. The only problem is the extra queries and time. What about dropping a cookie on the users machine?

     

    Sample code for reading cookies and injecting into a variable for the APM

     

    -------------------------------------- iRULE --------------------------------------

     

    when ACCESS_SESSION_STARTED {
   log local0. "**** Access Session Started ............"
   log local0. "Checking for cookies .................."

   ACCESS::session data set session.custom.domain 0
   set domain [HTTP::cookie UserDomain]

   log local0. ">>>> Cookie value  ...($domain)"
   if {[HTTP::cookie exists "UserDomain"]}{
     log local0. ">>> Cookie set ... ($domain)"
     ACCESS::session data set session.custom.domain $domain
   }
}