Forum Discussion
Vivek_9701
Nimbostratus
NimbostratusBIGIP iRule implementation
Hi,
I am new to iRule, we have requirment to write some iRule which can solve the issue.Below you can see the scenerio.
1. Provide form-based authentication of user against Active Directory Steps required: - Setup AD/LDAP connection in BIG-IP - Create base64 encoded version of provided login form - Create iRule which triggers login form, catches HTTP post response and performs auth against LDAP. If successfully authenticated, issue an authentication cookie with HTTPOnly flagback to the user .
See http://devcentral.f5.com/wiki/default.aspx/iRules/ClientAuthUsingHTMLForms.html and http://www.owasp.org/index.php/HttpOnly
2. Provide high-level authorization check by verifying membership of an Active Directory group Steps required: LDAP connection in BIG-IP should be configured with a group dn which points to a group which all SAP vendor users are members of
3. Pass a secure token with user name of the logged on user as an HTTP header to the Web front-end Steps required: After the user is authenticated, always add extra HTTP headers with the name of the logged on user. Suggestion to use Z-Authenticated-User and Z-Authenticated-User-Encrypted The encrypted header Z-Authenticated-User-Encrypted should be an AES encrypted value of Z-Authenticated-User http://devcentral.f5.com/wiki/default.aspx/iRules/AES__encrypt.html The key of the AES encryption should only be shared with the SAP Web front-end. (The web front-end will validate that Z-Authenticated-User = AES_DECRYPT(Z-Authenticated-User-Encrypted) )
4. Clean outgoing HTTP header information such as “Server” name and version Steps required: For outgoing responses, remove the HTTP header Server. http://devcentral.f5.com/wiki/default.aspx/iRules/HTTP__header.html
5. Store outgoing cookie SAPLogonTicket in BIG-IP session and remove it from the HTTP response Steps required: For outgoing responses, get the cookie SAPLogonTicket (either from Set-cookie or Cookie HTTP header). Remove it from the HTTP response and store it in session http://devcentral.f5.com/wiki/default.aspx/iRules/session.html
6. If user is authenticated, add SAPLogonTicket cookie from BIG-IP session to request before passing it to web front-end Steps required: For incoming requests, retrieve the SAPLogonTicket cookie from session and add it to the request.
Can anyone help me to setup iRule.
Regards
Sam
L4L7_53191Sam: it really sounds like you should look at using the APM (Access Policy Manager) module for this particular use case.
-Matt
Vivek_9701Where I can find the APM module in F5.- Vivek_9701http://devcentral.f5.com/weblogs/watkins/archive/2010/07/19/securing-the-corporate-intranet-with-access-policy-manager.aspx
- Vivek_9701APM doesn't help in this above senearion, Can you please help me to implment thorigh iRule.
- Vivek_9701Can any one help me how to proceed with above request.
Cspillane_18296hmmm...looks like alot of work and sounds like you're gonna need several iRules. Probably a bit beyond my capabilities. I think you can use an authentication profile for the LDAP side of things, but this isn't something I'm familiar with...