For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

smiley_dba_1116's avatar
smiley_dba_1116
Icon for Nimbostratus rankNimbostratus
Mar 25, 2016

F5 APM - HTTP Auth issues with redirecting token.

Issue: We have an application that houses a User Directory Services and we use a HTTP form based auth profile. We set the standard config for this.

 

Everything looks like its going to work and the auth gets to the server, BUT, what seems like a problem is the Successful Logon Detection Match Value

 

.:8080/otdsws/login?RFA=PostTicket%3A%3Ahttp%3A%2F%2Fwecma0021..%3A8080%2Fwebaccess%2F%3Fwahash%3D%2523tab%253Dcontent

 

The idea is that the auth would be sent to wecma0020, a token is received back and redirected to wecma0021 with that token. From the webserver, works great, but when we add this into the APM for successful detection, it just spins. When I look at Managed Sessions with my user id, I get the following:

 

2016-03-25 11:56:38Username ‘_*@******.com' 2016-03-25 11:57:21Following rule 'fallback' from item 'Message Box(1)' to ending 'Allow' 2016-03-25 11:57:21Access policy result: LTM+APM_Mode 2016-03-25 11:57:22\N: Could not find SSO username, check SSO credential mapping agent setting 2016-03-25 11:57:22\N: SSO username is empty - SSO is disabled 2016-03-25 11:57:23\N: Could not find SSO username, check SSO credential mapping agent setting 2016-03-25 11:57:23\N: SSO username is empty - SSO is disabled

 

Currently we are using a Kerberos SSO config but started thinking we might need Forms or Form-Client initiated SSO. But don’t know if that is the correct direction or not. Any value would be greatly appreciated.

 

application delivery
BIG-IP Access Policy Manager (APM)
http autentication
iRules
SSO

3 Replies

  • Josiah_39459's avatar
    Josiah_39459
    Historic F5 Account
    Mar 25, 2016

    That error says it can't find your username to send to the form. Do you have a SSO Credentials Mapping object before this one in the VPE? Is sso username being set correctly? Do you see the username being sent correctly to the webserver?

     

  • smiley_dba_1116's avatar
    smiley_dba_1116
    Icon for Nimbostratus rankNimbostratus
    Mar 25, 2016

    THank you Josiah. Yes, currently, I have it set with Kerberos SSO, but think I have it completely wrong.

     

    And the just of it is that the customer/client can be from any domain. Yahoo, Gmail, etc. So the login wont be in a particular format, other than a email address. Would you recommend using a FORM SSO?

     

  • smiley_dba_1116's avatar
    smiley_dba_1116
    Icon for Nimbostratus rankNimbostratus
    Mar 25, 2016

    The thing that really gets me is that the string during the login process is .:8080/otdsws/login?RFA=PostTicket%3A%3Ahttp%3A%2F%2Fwecma0021...%3A8080%2Fwebaccess%2F%3Fwahash%3D%2523tab%253Dcontent

     

    but then the PostTicket goes to wecma0021.**./webaccess.

     

    I corrected the sso problem with the form client initiate.

     

     

    The current logging in APM when logging in is:

     

    Mar 25 19:26:17 LOGNDLB01A notice apd[11576]: 01490010:5: b286a27c: Username 'smiley_dba@*********.com' Mar 25 19:26:20 LOGNDLB01A notice apd[11576]: 01490220:5: b286a27c: Pool '/Common/OTDS_DEV.app/OTDS_DEV_pool' assigned Mar 25 19:26:20 LOGNDLB01A notice apd[11576]: 01490005:5: b286a27c: Following rule 'fallback' from item 'Pool Assign' to ending 'Allow' Mar 25 19:26:20 LOGNDLB01A notice apd[11576]: 01490102:5: b286a27c: Access policy result: LTM+APM_Mode