Forum Discussion

AlexS_yb's avatar
AlexS_yb
Icon for Cirrocumulus rankCirrocumulus
May 11, 2023

Customise the logon page from APM

Hi

 

I have a 2 step login work flow

-> logon object - but I only accept username - because I will switch based upon email address

-> (step 2) logon object - but with username read only

 

I have added a link to the bottom of the window "click here to reset"

I would like to create another link but I want it dynamic basically I want to use the landinguri from the session to craft a url.  How can I do that ??

 

A

 

  • Hi Alex (great name! ;), 

    I think you should be able to do that with session variables, but I'm struggling to exactly understand the question. Can you clarify the question a bit / what you are exactly trying to achieve? 

    • AlexS_yb's avatar
      AlexS_yb
      Icon for Cirrocumulus rankCirrocumulus

      🙂

      So because I have a step login process - logon widget to get username and then branch based upon domian name - so SAML or local ldap .

      for local ldap another login widget where you enter password.

      It was brought to my attention that I have locked the username on the second dialogue box - because I don't want people to put in SAML email addresses here and by pass the saml hand off.

      so how do I easily hand back to the first widget in apm - don't think APM allows for that.

      My next thought was to add a button - change user name or Back. but what it does is call a url - that logs out the session and restarts - thats the only way I can see how to restart the progress throught APM.  But if I do that I lose my landing uri and if I don't some how keep that once the user has logged in they land on / which is of no use !

       

      I wanted to craft a button that had say destination url = /sso/logoff?r=<landing url>  that would handle the log off and then redirect based upon r

       

       

       

      • AlexBCT's avatar
        AlexBCT
        Icon for Cumulonimbus rankCumulonimbus

        Ah, that's an interesting scenario! And yes, I quite agree to lock the username on the second screen (or something similar) so that people can't bypass the SAML trick. I may however have an easier solution for you. Are you familiar with the Macro's in the APM policy? Within Macro's, you can create a Loop ending. 

        If you put the original logon widget, as well as the second LDAP agent into a Macro (perhaps with some other agents too), and at the end the Macro, put an agent that checks if the login name is still the same as on the first page, you should be fine. If the user doesn't change the username, continue. Otherwise, follow the Loop ending which sends it back to the beginning (without loosing the session!)

        I use something similar myself for a home-cooked login portal, and on the login page, I have an empty variable which doesn't show anything at first, but if someone gives the wrong credentials, the variable gets filled with the text "Incorrect username/password", which then shows up on the login page. This second trick means that in my case, I can tell the user of the error, without having to create a completely new login page. 

        Some details on Macro Loops; https://my.f5.com/manage/s/article/K48343296

        And here is part of my policy; 

         

        Hope this helps, but if not quite what you're looking for, let me know and we'll keep digging.