For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

amass87_221296's avatar
amass87_221296
Icon for Nimbostratus rankNimbostratus
Feb 16, 2017

APM Username header for back-end server authentication

I am working on a puzzling issue with headers in APM. The environment I am working in is currently running through a dying Tivoli Access Manager for authentication. Many of the back-end servers were setup for header authentication, where the username is passed in a header value.

 

The issue I am having is replicating this functionality. No matter which event I use for the HTTP::header insert. It is not making it into the crucial message to the back-end server.

 

What does work is that in the SSO Forms-based authentication. I can choose advance configuration and insert a header in the SSO configuration file that has the right name and a static username. This will get passed appropriately to the back-end server and the user is authenticated. This obviously isn't the dynamic solution I want as it only works for 1 user. What I need is to insert a header with a value based on the session.logon.last.username variable that is sent with the SSO Form to the back-end server. Any suggestions on how to do that would be much appreciated.

 

application delivery
BIG-IP Access Policy Manager (APM)
security

5 Replies

  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Icon for MVP rankMVP
    Feb 17, 2017

    This works for me:

    when HTTP_REQUEST {
    if { [ACCESS::session exists -state_allow -sid [HTTP::cookie MRHSession] ] } {
        HTTP::header insert X-Username [ACCESS::session data get session.logon.last.username]
    }
}
  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Feb 19, 2017

    i have been able to use variables like %{session.sso.token.username} fine through several versions up to and including 12.x

     

  • wick54's avatar
    wick54
    Icon for Nimbostratus rankNimbostratus
    Jun 14, 2019

    Hi amass87 221296,

     

    I'm new to F5 and I have ran in to the same problem as you are, we are in process of replacing IBM TFIM solution and trying to replicate the HTTP::Header insert function on F5.

     

    I've created a form based SSO object as described in this article and wondering how this get added in to APM Policy.

     

    I have created a basic APM policy and associcated this SSO object with it.

     

    However this still doesn't work as expected. are you able to share working configuration please?