APM Username header for back-end server authentication

Question

I am working on a puzzling issue with headers in APM.  The environment I am working in is currently running through a dying Tivoli Access Manager for authentication.  Many of the back-end servers were setup for header authentication, where the username is passed in a header value.&nbsp;
The issue I am having is replicating this functionality.  No matter which event I use for the HTTP::header insert.  It is not making it into the crucial message to the back-end server.&nbsp;
What does work is that in the SSO Forms-based authentication.  I can choose advance configuration and insert a header in the SSO configuration file that has the right name and a static username.  This will get passed appropriately to the back-end server and the user is authenticated.  This obviously isn't the dynamic solution I want as it only works for 1 user.  What I need is to insert a header with a value based on the session.logon.last.username variable that is sent with the SSO Form to the back-end server.  Any suggestions on how to do that would be much appreciated.&nbsp;

amass87_221296 · Answer

Not to answer my own question, but I am about to test using a variable in the form.  The article says it only applies to certain versions in 11.x code, but here goes.&nbsp;
https://support.f5.com/csp/article/K13751&nbsp;
%{session.sso.token.username}&nbsp;

niels_van_sluis · Answer

This works for me:
when HTTP_REQUEST {
    if { [ACCESS::session exists -state_allow -sid [HTTP::cookie MRHSession] ] } {
        HTTP::header insert X-Username [ACCESS::session data get session.logon.last.username]
    }
}

amass87_221296 · Answer

Awesome, I might try that.  This solution article actually worked, so I am very relieved.
https://support.f5.com/csp/article/K13751&nbsp;

boneyard · Answer

i have been able to use variables like %{session.sso.token.username} fine through several versions up to and including 12.x&nbsp;

wick54 · Answer

Hi amass87 221296,&nbsp;I'm new to F5 and I have ran in to the same problem as you are, we are in process of replacing IBM TFIM solution and trying to replicate the HTTP::Header insert function on F5.&nbsp;I've created a form based SSO object as described in this article and wondering how this get added in to APM Policy.&nbsp;I have created a basic APM policy and associcated this SSO object with it. &nbsp;However this still doesn't work as expected. are you able to share working configuration please?

Forum Discussion

APM Username header for back-end server authentication

Recent Discussions

how to whitelist new source IP on F5 web UI access

F5 to read a combined CRL file

Upgrade F5 BIGIP

ISP Load Balancing, SNAT pool instead of Automap link self-ip, anyway to do health check ?

MAC address of deleted VS IP address still responsive

Related Content

Stop Wappalyzer from detecting my back end server technologies

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

Doing mTLS Authentication per URL

iControl REST Authentication Token Management

Application Programming Interface (API) Authentication types simplified

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS