Forum Discussion
F5 APM retrieve AD groups and resend using HTTP POST parameter
Dear all,
I am looking at a particular situation where an internal web server needs to know what kind of AD membership groups are assigned to a user that tries to login. The authentication only takes place on the F5 APM and NOT on the internal server. The internal server only needs to verify AD group membership, but may not communicate to AD.
The idea is to:
- Create a login page using APM
- authenticate using username and password to AD
- Retrieve the AD group membership
- Include a POST parameter with these AD group membership information and send it to the internal webserver
Somebody already had a similar situation before?
Yes this is fairly simple. Use LTM+APM mode, and AD Query / AD Auth in your Access Policy. Set the "start uri" parameter to your backend app's URI, and use forms-based SSO (server-initiated) to fill in the resultant session variables from your AD Query into your form parameter. The groups will be in the form of a pipe-delimited list of the group DNs that came back from the query.
- Dan_73594Historic F5 Account
Hi Marvin,
Is this to say the first request to the backend server must be a POST, and that POST must contain AD group membership?
Dan
- Lucas_Thompson_Historic F5 Account
Yes this is fairly simple. Use LTM+APM mode, and AD Query / AD Auth in your Access Policy. Set the "start uri" parameter to your backend app's URI, and use forms-based SSO (server-initiated) to fill in the resultant session variables from your AD Query into your form parameter. The groups will be in the form of a pipe-delimited list of the group DNs that came back from the query.
- MarvinCirrocumulus
Hi Lucas, Yes I was exactly thinking about that scenario, but wanted to verify the point 4. Do you have an example on how to configure the forms-based SSO? Should I use the form action to include the session variable with the AD groups? Where am I able to define the parameter used for this purpose?
- MarvinCirrocumulus
Ahh ok just like an hidden form great!! Thats why I love devcentral :-), thanks!!
- MarvinCirrocumulus
Hi Lucas, I am working on this configuration, authentication works fine, also F5 APM receives AD group information. I configured SSO form profile similar to your example. In the APM log I see that policy result is allow, however I don´t see any HTTP POST being send by the SSO form funcionality.
I have properly applied the SSO profile to the Access policy. Do you have any idea how to find the cause?
- MarvinCirrocumulus
Hi Dan, yes that is correct.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com