Forum Discussion

LarsS__178188's avatar
LarsS__178188
Icon for Nimbostratus rankNimbostratus
Mar 22, 2016

APM - Delete SSO credentials after login

Hello everybody,   I couldn't find any solution on my issue so far, so I try my luck here.   We use APM to access a SAP Portal. To realize SSO with the F5 and the SAP Portal login side, our One...
application delivery
BIG-IP Access Policy Manager (APM)
SSO
  • Josiah_39459's avatar
    Josiah_39459
    Mar 22, 2016

    Is the BW app a pool or a weblink or what? If SSO is being applied that means the request must be passing through the F5, so on whatever vip gets the request, check the HTTP_REQUEST event [HTTP::uri] and apply SSO::disable accordingly.

    e.g.

    when HTTP_REQUEST {
  if { [HTTP::uri] starts_with '/blahblahblah' } {
    WEBSSO::disable
  }
}

    or

       when ACCESS_ACL_ALLOWED {
      if { [HTTP::uri] starts_with '/blahblahblah' } {
        WEBSSO::disable
      }
    }

    similar depending on your app and f5 config

Josiah_39459's avatar
Josiah_39459
Historic F5 Account
Mar 22, 2016

Is the BW app a pool or a weblink or what? If SSO is being applied that means the request must be passing through the F5, so on whatever vip gets the request, check the HTTP_REQUEST event [HTTP::uri] and apply SSO::disable accordingly.

e.g.

when HTTP_REQUEST {
  if { [HTTP::uri] starts_with '/blahblahblah' } {
    WEBSSO::disable
  }
}

or

   when ACCESS_ACL_ALLOWED {
      if { [HTTP::uri] starts_with '/blahblahblah' } {
        WEBSSO::disable
      }
    }

similar depending on your app and f5 config

  • LarsS__178188's avatar
    LarsS__178188
    Icon for Nimbostratus rankNimbostratus
    Mar 23, 2016
    The BW System is not a pool. The SAP Portal only delivers a framework and forwards URI links to the Client. The Client himself is responsible for calling those embedded applications like the BW. In this case, the F5 as a reverse proxy is responsible for calling them and inserts the credentials from the SSO credential mapping. I didn't work much with iRules so far, so I didn't know the SSO::disable Option. I'll check it out and come back to it afterwards. Many thanks for this hint! Lars
  • Walter_Kacynsk1's avatar
    Walter_Kacynsk1
    Icon for Nimbostratus rankNimbostratus
    Mar 23, 2016
    The proper command name is WEBSSO::disable -- https://clouddocs.f5.com/api/irules/WEBSSO__disable.html
  • Josiah_39459's avatar
    Josiah_39459
    Historic F5 Account
    Mar 23, 2016
    Thanks! fixed
  • LarsS__178188's avatar
    LarsS__178188
    Icon for Nimbostratus rankNimbostratus
    Mar 23, 2016
    Due to the hint by Josiah and the wiki artical, I've created the following iRule, which works fine in our enviroment: when ACCESS_ACL_ALLOWED { if { [HTTP::uri] contains "/irj/servlet/prt/portal/prtroot/com.sap.ip.bi.web.portal.integration.launcher;" } { log local0. "Disabling SSO for this request: [HTTP::uri]" WEBSSO::disable } } The iRule for the hard coded users looks nice as well, but we want to remove these kind of request completely and switch to a different architecture. Many thanks for your help