Forum Discussion
NimbostratusF5 APM HTTP Form Based Authentication
Hi All,
We have requirement and request to help with your views to achieve the requirement using F5 LTM+APM.
Environment: Legacy Application integrated with internal Active Directory, with form based authentication. F5 LTM+APM to be deployed as reverse proxy.
Requirement: Internal users to be created in Internal AD and allowed access to the legacy application. For third party users access from internet, User directory is to be created in Cloud and authentication status to be shared with F5 reverse proxy. Now, after successful authentication F5 will have to submit HTTP Form based authentication page from the legacy application with a Read only internal AD account (to be configured in F5 configuration). Will it be possible to insert the AD account credentials in the F5 response to application authentication page, so that user is able to access the Legacy application with out AD account. This will avoid creating external users to be created in the internal Active Directory.
Can you please advise if this requirement can be achieved..
Thank you.
AMiles_377865Cirrocumulus
Hello Vinodh,
There is a well-documented method for performing authentication from multiple AD domains using user input that Cody Green posted, Multiple Domain Authentication but this method does rely on user input and would not be transparent to your end-user.
There's no particular reason this VPE set-up can't be changed to other forms of authentication as well, including your Cloud authentication. From the sound of it, you might want to look into setting up a SAML federation, with the F5 as a service provider and whatever cloud authentication system you have as the identity provider.
At a high-level, users would hit your logon page, and select either local or cloud authentication. Based on that setting, the user would navigate to either your Local AD auth or your Federated auth.
Best of luck,
Austin
vinodhkumarc_28Hi Austin,
Thanks a lot for your reply.
The issue here is the legacy application is integrated with local AD and the IT Security team now wants to remove the contractor accounts from local domain. But, there is no way for the application authentication to be altered due to limitations. Now, we will be able to authenticate contractors with external authentication integrating with F5, but to access the legacy application still the connection requires a local AD account, which prompts for username/password page. So I was checking if its possible to insert a service account using iRule to all successfully authenticated contractor sessions to allow access to the legacy application.
Regards, Vinodh
- AMiles_377865
Thank you for clarifying Vinodh, I understand your problem a little better. I can't think of any way to dynamically insert the credentials into AD transparently. Any solution i can come up with involves changing the configuration of the AD auth at least a little, which is against your limitations.
The best thing I could imagine right now would be to call an iRule from an Agent Event after your consultants have successfully been authenticated. This would assign them the variables needed for the shared service account. But without re-configuring the legacy AD for SSO I'm not sure you can do anything with that beyond having the user log in manually. This could maybe be done by having a message box provide the contractor with the login info, though this solution is not very secure.
Let me know if you figure something out. I'd be interested in whatever solution you come up with.