I have a situation where an in house application uses both Basic Authentication (Weblogic system prompt) as well as HTML form based login pages. I wanted to try out the Client Initiated Forms in the SSO Configuration to formfill the HTML forms. I have an SSO Configuration for the HTTP Basic Authentication, and now a Client Initiated SSO Configuration for the HTML login form pages. However, I can only attach 1 SSO Configuration to an Access Profile at a time. What I was wondering is can the Client Initiated SSO Configuration be initiated or re-initiated from an iRule. Using WEBSSO::select doesnt seem to recognize the Client Initiated SSO Configurations. Using Big-IP 11.2 (Build 2747.0) Thanks, Steve Wilson

That behavior (not recognizing a client-initiated forms SSO profile from WEBSSO::select) persists in 11.3. 1. I would recommend opening a case. 2. Not sure if this is what you want, but I've successfully tested with an access policy that statically assigns the client-initiated forms SSO, but does WEBSSO::select to the Basic SSO as required.

Thanks for confirming about 11.3 Kevin, I was curious about that too. I had tried that very thing, attaching the client-based forms to the Access Profile, and then calling the Basic SSO in my iRule. Basic SSO fires first and it takes care of the WL system prompt no problem, but then how do you re-call the client-based forms SSO so that it hits the HTML login pages? I was watching the APM logs on the console, and it never seems to fire at all since calling the WEBSSO::select "basic auth" in the ACCESS_ACL_ALLOWED event in the iRule. Setting WEBSSO::select seems to replace whatever SSO config you had defined in the Access Policy. Steve.

A few additional questions: 1. Is the HTML form INSIDE the WL system? In others words, is it in the same session, same IP, same VIP? 2. Do you have to keep re-authenticating (via Basic) to the WL system throughout the session, or are further requests handled by a session token? Does the WL system expect the Authorization header in every request? 3. Can you potentially, by virtue of the first authentication, skip the second one (or do something else like HTTP headers)? 4. Is there a specific need for the client-initiated forms SSO over the more static forms SSO?

1. Is the HTML form INSIDE the WL system? In others words, is it in the same session, same IP, same VIP? Yes, the HTML login form is part of the application code running on WL 2. Do you have to keep re-authenticating (via Basic) to the WL system throughout the session, or are further requests handled by a session token? Does the WL system expect the Authorization header in every request? I believe WL creates a session token that keeps the authentication session alive. 3. Can you potentially, by virtue of the first authentication, skip the second one (or do something else like HTTP headers)? I tried setting the Basic-Auth header in the iRule, while the client-initiated forms handled the HTML login form, but it didnt seem to work 4. Is there a specific need for the client-initiated forms SSO over the more static forms SSO? I tried using the static SSO forms initially but I couldnt get them to do the form filll of the actual HTML login form of the application code. Thats when I started looking at the client-initiated forms. Thanks again for your help. Steve

Any resolution on this post. i got the same probleme here. only form-basedv2 is working and i cant use it in an iRule with WEBSSO::select. Regards

Client Initiated SSO configuration in iRule

13 Replies

Kevin_Stewart
Employee
May 29, 2013
That behavior (not recognizing a client-initiated forms SSO profile from WEBSSO::select) persists in 11.3.

1. I would recommend opening a case.

2. Not sure if this is what you want, but I've successfully tested with an access policy that statically assigns the client-initiated forms SSO, but does WEBSSO::select to the Basic SSO as required.
Steve_W_85246
Nimbostratus
May 30, 2013
Thanks for confirming about 11.3 Kevin, I was curious about that too. I had tried that very thing, attaching the client-based forms to the Access Profile, and then calling the Basic SSO in my iRule. Basic SSO fires first and it takes care of the WL system prompt no problem, but then how do you re-call the client-based forms SSO so that it hits the HTML login pages? I was watching the APM logs on the console, and it never seems to fire at all since calling the WEBSSO::select "basic auth" in the ACCESS_ACL_ALLOWED event in the iRule. Setting WEBSSO::select seems to replace whatever SSO config you had defined in the Access Policy.

Steve.
Kevin_Stewart
Employee
May 31, 2013
A few additional questions:

1. Is the HTML form INSIDE the WL system? In others words, is it in the same session, same IP, same VIP?

2. Do you have to keep re-authenticating (via Basic) to the WL system throughout the session, or are further requests handled by a session token? Does the WL system expect the Authorization header in every request?

3. Can you potentially, by virtue of the first authentication, skip the second one (or do something else like HTTP headers)?

4. Is there a specific need for the client-initiated forms SSO over the more static forms SSO?
Steve_W_85246
Nimbostratus
Jun 06, 2013

1. Is the HTML form INSIDE the WL system? In others words, is it in the same session, same IP, same VIP?

Yes, the HTML login form is part of the application code running on WL

2. Do you have to keep re-authenticating (via Basic) to the WL system throughout the session, or are further requests handled by a session token? Does the WL system expect the Authorization header in every request?

I believe WL creates a session token that keeps the authentication session alive.

3. Can you potentially, by virtue of the first authentication, skip the second one (or do something else like HTTP headers)?

I tried setting the Basic-Auth header in the iRule, while the client-initiated forms handled the HTML login form, but it didnt seem to work

4. Is there a specific need for the client-initiated forms SSO over the more static forms SSO?

I tried using the static SSO forms initially but I couldnt get them to do the form filll of the actual HTML login form of the application code. Thats when I started looking at the client-initiated forms.

Thanks again for your help.

Steve
nicolasjc
Nimbostratus
Mar 12, 2014
Any resolution on this post. i got the same probleme here. only form-basedv2 is working and i cant use it in an iRule with WEBSSO::select.

Regards
Yann_Desmarest
Cirrus
Mar 21, 2014
I'm running 11.4.1 HF3 and get the the same issue.

I will open support case and keep you informed.

Best Regards

Yann
Yann_Desmarest_
Nacreous
Mar 21, 2014
Selecting an SSO configuration with WEBSSO::select does not work for form-based client-initiated and SAML SSO configurations. Use a variable to assign the configuration object name: set sso_config /Common/SAML-config WEBSSO::select $sso_config unset sso_config

Best Regards

Yann
- Walter_Kacynski
  Cirrostratus
  Aug 19, 2014
  That is one crazy hack. Will this be addressed by support?
- Yann_Desmarest_
  Nacreous
  Aug 19, 2014
  This is mentioned as Known Issue by F5 support. and this is not fixed in 11.5.1 HF4 (latest release).
Yann_Desmarest
Cirrus
Mar 21, 2014
Selecting an SSO configuration with WEBSSO::select does not work for form-based client-initiated and SAML SSO configurations. Use a variable to assign the configuration object name: set sso_config /Common/SAML-config WEBSSO::select $sso_config unset sso_config

Best Regards

Yann
- Walter_Kacynski
  Cirrostratus
  Aug 19, 2014
  That is one crazy hack. Will this be addressed by support?
- Yann_Desmarest
  Cirrus
  Aug 19, 2014
  This is mentioned as Known Issue by F5 support. and this is not fixed in 11.5.1 HF4 (latest release).
Algebraic_Mirror
Cirrostratus
Jan 24, 2017
Any resolution to this? I'm seeing the same issue on 11.5.3 HF2.