Forum Discussion

Nimbostratus

Nov 04, 2013

clientless - sso

currently we have a web application that lives on a web server with IIS and forms based auth.. our external clients POST an XML with embedded username and password variables to it.. the web server cr...

application delivery

BIG-IP Access Policy Manager (APM)

Employee

Nov 15, 2013

Would you need to do all of that? Assuming that the FIRST request is a POST to "/auth" with credentials, subsequent requests should all come with the session cookie, so that:

You could technically only enable clientless-mode for this request, and
Simply set the pools in the ACCESS_ACL_ALLOWED event for everything.

All subsequent requests will have the session cookie, so they should all skip to the ACCESS_ACL_ALLOWED event. You might also want to send a "reject" response if the user attempts to request a URI other that "/auth" without the session cookie.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)