Forum Discussion
Nimbostratusclientless - sso
EmployeeSo first let me back up and say that clientless-mode won't allow you to use a login page in the policy. So then the client will post their credentials in the XML, the iRule will pick these up, assign them to APM session variables, pass those to an auth agent, and then perform any additional policy evaluation requirements (ex. LDAP query more group membership). The access session will be assigned and a cookie sent to the client on the first response from the back end server. Here's an example:
when HTTP_REQUEST {
HTTP::header insert "clientless-mode" 1
if { ( [HTTP::method] equals "POST" ) and ( [string tolower [HTTP::uri]] starts_with "/auth" ) } {
HTTP::collect [HTTP::header Content-Length]
}
}
when HTTP_REQUEST_DATA {
foreach x [split [HTTP::payload] "&"] {
switch -glob $x {
"username=*" {
set username [lindex [split $x "="] 1]
}
"password=*" {
set password [lindex [split $x "="] 1]
}
}
}
}
when ACCESS_SESSION_STARTED {
if { [info exists username] } {
ACCESS::session data set session.logon.last.username $username
}
if { [info exists password] } {
ACCESS::session data set session.logon.last.password $password
}
}
Now granted, this is a very simple test where the client is simply posting credentials.
curl -v http://10.70.0.100/auth.php -d "username=bob.user&password=password"
But hopefully you see where I'm going with it. Collect the payload in the HTTP_REQUEST_DATA event, set some local variables, collect those local variables in the ACCESS_SESSION_STARTED event and send them to access session variables, then use those access session variables within the access policy to auth and/or query. You can drop an AD auth right into the visual policy with this example. If successful, the request will pass through to the back end server, and on first response the client will get the APM session cookie.
