Forum Discussion
Ravager
Altostratus
AltostratusExample passing information to a application from APM
I guess this is more of a request for a how would I question then anything and hopefully example articles or blogs exist already.
What I would like to understand is after authenticating someone via APM how do I pass like the user information to the application, basically very very simple sso.
So maybe a some simple helloworld webcode that goes hello 'username' and maybe as a second step ignoring https what would be the correct way to encrypt that info maybe as a cookie?
And a little more advanced how you would do this with a simple app with username + password boxes so the APM would prefill the login with the info it already has ie sso.
Thanks in advance
Hi Ravager,
Your question inspired me to do some testing with passing APM session variables into sessionStorage. First I created an iRule to add the APM session variable into the sessionStorage of the webbrowser. And a simple webpage to query the browsers sessionStorage.
iRule:
when ACCESS_POLICY_COMPLETED { set username [ACCESS::session data get session.logon.last.username] set html "<!DOCTYPE html>" append html "<body onload=\"location.reload()\"></body><script lang=\"javascript\">" append html "if (typeof(Storage) !== \"undefined\") \{" append html "sessionStorage.setItem(\"username\", \"$username\");" append html "\}</script></html>" ACCESS::respond 200 content $html }HTML to put on the webserver:
<!DOCTYPE html> <html> <body> <div id="result"></div> <script> if (typeof(Storage) !== "undefined") { document.getElementById("result").innerHTML = "Username: " + sessionStorage.getItem("username"); } else { document.getElementById("result").innerHTML = "Sorry, your browser does not support Web Storage..."; } </script> </body> </html>Here you can see the username is put into the browsers sessionStorage.
Like always with the F5 BIG-IP, there is more than one way to do it. For example, you could also use HTTP Headers to pass information from APM to the web application. See:
K74392192: How to insert APM Variables in backend headers to the application server
- Daniel_Wolf
MVP
Hi Ravager,
you could start with something easy, setup an NGINX web server with basic auth. See this tutorial:
https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
This is gonna be your pool member. Test basic auth by accessing the webserver directly, without the BIG-IP.
Next you will setup an APM Access Policy of the type LTM-APM with SSO Credential Mapping and create an HTTP Basic SSO configuration.
With the HTTP Basic method of authentication, the SSO plug-in uses the cached user identity and sends the request with the authorization header. This header contains the Basic token and the base64-encoding of the user name, colon, and the password. Example from tcpdump:
See this Manual Chapter: Creating an HTTP Basic SSO configuration.
Another simple form of SSO would be an HTTP forms-based SSO. With this method the BIG-IP will send the username and password as a HTTP form-based POST request to the application. Here is an example, you have to specify the parameter names for username, password and Start URI.
See this Manual Chapter: Creating an HTTP forms-based SSO configuration
You can find some HTML snippets for a form-based auth website here: https://www.w3schools.com/howto/howto_css_login_form.asp
Is this useful for you?
KR
Daniel
Hi Ravager,
Your question inspired me to do some testing with passing APM session variables into sessionStorage. First I created an iRule to add the APM session variable into the sessionStorage of the webbrowser. And a simple webpage to query the browsers sessionStorage.
iRule:
when ACCESS_POLICY_COMPLETED { set username [ACCESS::session data get session.logon.last.username] set html "<!DOCTYPE html>" append html "<body onload=\"location.reload()\"></body><script lang=\"javascript\">" append html "if (typeof(Storage) !== \"undefined\") \{" append html "sessionStorage.setItem(\"username\", \"$username\");" append html "\}</script></html>" ACCESS::respond 200 content $html }HTML to put on the webserver:
<!DOCTYPE html> <html> <body> <div id="result"></div> <script> if (typeof(Storage) !== "undefined") { document.getElementById("result").innerHTML = "Username: " + sessionStorage.getItem("username"); } else { document.getElementById("result").innerHTML = "Sorry, your browser does not support Web Storage..."; } </script> </body> </html>Here you can see the username is put into the browsers sessionStorage.
Like always with the F5 BIG-IP, there is more than one way to do it. For example, you could also use HTTP Headers to pass information from APM to the web application. See:
K74392192: How to insert APM Variables in backend headers to the application server
RavagerYou guys are legends, very keen to play around with your suggestions next week at work. This topic might even be a good one to write a full article with the various ways to do this
