F5 APM retrieve AD groups and resend using HTTP POST parameter
Dear all,
I am looking at a particular situation where an internal web server needs to know what kind of AD membership groups are assigned to a user that tries to login. The authentication only takes place on the F5 APM and NOT on the internal server. The internal server only needs to verify AD group membership, but may not communicate to AD.
The idea is to:
- Create a login page using APM
- authenticate using username and password to AD
- Retrieve the AD group membership
- Include a POST parameter with these AD group membership information and send it to the internal webserver
Somebody already had a similar situation before?
Yes this is fairly simple. Use LTM+APM mode, and AD Query / AD Auth in your Access Policy. Set the "start uri" parameter to your backend app's URI, and use forms-based SSO (server-initiated) to fill in the resultant session variables from your AD Query into your form parameter. The groups will be in the form of a pipe-delimited list of the group DNs that came back from the query.