F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

CA_Valli's avatar
CA_Valli
Icon for MVP rankMVP
Oct 26, 2022
Solved

Applying APM on an iframe

Hello everyone, I'm having this issue where APM-protected content fails to start APM session if called from an iFrame.  The access session starts at client request time as expected, and I can see t...
application delivery
BIG-IP Access Policy Manager (APM)
security
  • CA_Valli's avatar
    CA_Valli
    Dec 13, 2022

    So we did some more testing, and this is not going to work.

    We've worked with support and experimented with iRules to insert additional headers and cookies into the response, but the behaviour of CORS is that these are always going to be removed. And because APM relies heavily on cookies to function, it does mean that accessing APM-protected content from an iFrame will fail to work. 

Omar95's avatar
Omar95
Icon for Altostratus rankAltostratus
May 12, 2023

Hello CA_Valli ,

Thank you for sharing all this information it very helpfull.

Do you mind to share how did you achieve this (Irule, specific config ...)?

Thank you very much

CA_Valli's avatar
CA_Valli
Icon for MVP rankMVP
May 12, 2023

iRule kinda looks like this.
I suggest you to raise a support case if you need specific tuning.

 

when HTTP_REQUEST {

if { $host eq "apmprotected.mybusiness.com" && [HTTP::header exists "Referer"]}{
  set referer_host [string tolower [URI::host [HTTP::header "Referer"]]]
  if { $referer_host ne "partnerportal.company.com" && $referer_host ne "apmprotected.mybusiness.com"}{
    # iframes in unauthorized portals get redirected to main auth
    # notice I had to include my own portal as "authorized" to correctly load scripts,css,etc. 
    HTTP::respond 302 Location "https://apmprotected.mybusiness.com/"
  } else { 
    # i have a big list of IFs here to match specific conditions
    ACCESS::disable 
  }
}

}