For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

AlexS_yb's avatar
AlexS_yb
Icon for Cirrocumulus rankCirrocumulus
May 11, 2023

Customise the logon page from APM

Hi   I have a 2 step login work flow -> logon object - but I only accept username - because I will switch based upon email address -> (step 2) logon object - but with username read only   I hav...
devops
AlexS_yb's avatar
AlexS_yb
Icon for Cirrocumulus rankCirrocumulus
May 13, 2023

🙂

So because I have a step login process - logon widget to get username and then branch based upon domian name - so SAML or local ldap .

for local ldap another login widget where you enter password.

It was brought to my attention that I have locked the username on the second dialogue box - because I don't want people to put in SAML email addresses here and by pass the saml hand off.

so how do I easily hand back to the first widget in apm - don't think APM allows for that.

My next thought was to add a button - change user name or Back. but what it does is call a url - that logs out the session and restarts - thats the only way I can see how to restart the progress throught APM.  But if I do that I lose my landing uri and if I don't some how keep that once the user has logged in they land on / which is of no use !

 

I wanted to craft a button that had say destination url = /sso/logoff?r=<landing url>  that would handle the log off and then redirect based upon r

 

 

 

AlexBCT's avatar
AlexBCT
Icon for Cumulonimbus rankCumulonimbus
May 15, 2023

Ah, that's an interesting scenario! And yes, I quite agree to lock the username on the second screen (or something similar) so that people can't bypass the SAML trick. I may however have an easier solution for you. Are you familiar with the Macro's in the APM policy? Within Macro's, you can create a Loop ending. 

If you put the original logon widget, as well as the second LDAP agent into a Macro (perhaps with some other agents too), and at the end the Macro, put an agent that checks if the login name is still the same as on the first page, you should be fine. If the user doesn't change the username, continue. Otherwise, follow the Loop ending which sends it back to the beginning (without loosing the session!)

I use something similar myself for a home-cooked login portal, and on the login page, I have an empty variable which doesn't show anything at first, but if someone gives the wrong credentials, the variable gets filled with the text "Incorrect username/password", which then shows up on the login page. This second trick means that in my case, I can tell the user of the error, without having to create a completely new login page. 

Some details on Macro Loops; https://my.f5.com/manage/s/article/K48343296

And here is part of my policy; 

 

Hope this helps, but if not quite what you're looking for, let me know and we'll keep digging.