For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

bdavis's avatar
bdavis
Icon for Nimbostratus rankNimbostratus
Jun 10, 2014

APM: Inserting headers for back-end servers to process.

I'm trying to take a couple pieces of information out of a consumed SAML assertion on the F5 as the service provider and insert them as headers to the back-end servers. Here is one of the variables in APM that I would like to pass to the servers, session.saml.last.nameIDValue. I'm just having a difficult time trying to figure out how to insert this as headers and it make it to the back-end server's. I tried this, which creates the headers because it logs them after there created, but they never make it to the application server after the APM policy is complete. Any help you guys could provide would be great.

when ACCESS_POLICY_AGENT_EVENT {
    switch [ACCESS::policy agent_id] {
        "HEADERINSERT" {
            log local0. "session.saml.last.nameIDValue: [ACCESS::session data get session.saml.last.nameIDValue]"
            log local0. "session.saml.last.attr.name.xprole: [ACCESS::session data get session.saml.last.attr.name.xprole]"
            HTTP::header insert test1 "[ACCESS::session data get session.saml.last.nameIDValue]"
            HTTP::header insert test2 "[ACCESS::session data get session.saml.last.attr.name.xprole]"
            log local0. "TEST1: [HTTP::header value test1]"
            log local0. "TEST2: [HTTP::header value test2]"
        }
    }
}
application delivery
BIG-IP Access Policy Manager (APM)
design
devops
iRules
security

4 Replies

  • dubdub's avatar
    dubdub
    Icon for Nimbostratus rankNimbostratus
    Jun 10, 2014

    Hi Brett,

     

    Not sure if it is of any help, but when I insert SAML values into HTTP headers, I use the ACCESS_ACL_ALLOWED and HTTP_REQUEST events for it. Have you tried test headers in either of those events to see if they get through to the backend web servers?

     

    Thanks, Jen

     

  • bdavis's avatar
    bdavis
    Icon for Nimbostratus rankNimbostratus
    Jun 10, 2014

    So i can insert them and then log them, but they never make it to the application. So I put a logging statement to log all headers in the when HTTP_REQUEST_SEND { and they are not there. So something is happening to them between the policy allow and when they actually get sent to the servers.

     

  • kj07208_118528's avatar
    kj07208_118528
    Icon for Cirrus rankCirrus
    Jun 10, 2014

    I had the same problem, I created an IIS web site enabled NTLM and did the headers as you did. This worked for me, another problem is redirects, are you doing any redirects? What type of SSO configuration do you have?

     

  • bdavis's avatar
    bdavis
    Icon for Nimbostratus rankNimbostratus
    Jun 12, 2014

    Thanks guys the actual issue was on the server-side. I was able to insert them in ACCESS_ACL_ALLOWED event as suggested initial above. But when I did it there where issues on the application side and it is now fixed. However the above irule that you provided dubdub made me think I might want to check for existing sessions and re-insert the headers for these, however the application generates a JSESSIONID to track the session after authentication so I may not ever need to. Thank you guys for your help.