Forum Discussion
NimbostratusAPM: SSO not able to setup for phpipam
Hi all, Since a longer time I try to setup SSO for phpipam web-app, demo here: http://phpipam.net/phpipam-demo/
I use this web-app to try the more complex SSO setups since phpipam using a modern login form with javascript etc.
Does anyone have a working config for this common used tool in the oss world? I can post logfiles etc. if someone is able to help me with this. Actually I'm doing tests with "Forms - Client Initiated" but I cannot get this to work.
Thanks, Peter
8 Replies
- boneyard
MVP
what does your logging say, does it detect the page, does it attempt a login? you gotta check your /var/log/apm for this, for some reason it doesn't show in the session log in the GUI. 
Peter_Baumann_5What I get is the following: Jun 25 11:36:15 bigip1 info tmm2[11400]: 014d0002:6: 3208cc09: SSOv2 Form submitted, config /LNB/sso_client_lnb form IPAM Jun 25 11:36:15 bigip1 warning tmm2[11400]: 014d0002:4: 3208cc09: SSOv2 Logon failed, config /LNB/sso_client_lnb form IPAM Matching, sending, Form Variables etc. is ok, I checked it many times. So with the above messages with logging to debug I don't get more informations why it is now working. How can I do more troubleshooting of "Logon failed" SSO Messages?- boneyard
can you check on the server if a login attempt is made and if so if it is wrong in some way?
i would be nice if there was just a little more debugging, but im afraid there isn't.
kunjanHave you tried form based SSO with form-username as ipamusername and form-password as ipampassword?
- Peter_Baumann
Cirrostratus
Hi kunjan, I tried both form based SSO profiles without success. Now I have another PoC Installation to do for a customer were I only could get 1 of 3 applications to work with sso. The whole sso thing is somewhat unusable in customer environments... it's bad :-(
- kunjan_118660
Cumulonimbus
Have you tried form based SSO with form-username as ipamusername and form-password as ipampassword?
- Peter_BaumannHi kunjan, I tried both form based SSO profiles without success. Now I have another PoC Installation to do for a customer were I only could get 1 of 3 applications to work with sso. The whole sso thing is somewhat unusable in customer environments... it's bad :-(
- Drew_24528
I just ran into this issue.
This can be solved with an iRule as the phpipam application doesn't redirect on a successful login.
when HTTP_RESPONSE { Trigger collection for up to 1MB of data if {[HTTP::header exists "Content-Length"] && [HTTP::header "Content-Length"] <= 1048576}{ set content_length [HTTP::header "Content-Length"] } else { set content_length 1048576 } Check if $content_length is not set to 0 if { $content_length > 0} { HTTP::collect $content_length } } when HTTP_RESPONSE_DATA { if { [HTTP::payload] contains "Login successful"}{ log local0. "Login successful" HTTP::redirect http://ipam.domain.com/phpipam/ } }Once this rule is applied to the VIP with the APM policy you can use a regular forms SSO profile with the following values:
apm sso form-based sso_apm_ipam.domain.com_forms { form-action /phpipam/app/login/login_check.php form-password ipampassword form-username ipamusername } passthru true start-uri /phpipam/\?page=login }
