Forum Discussion

Marvin_129795's avatar
Marvin_129795
Icon for Nimbostratus rankNimbostratus
Dec 13, 2016

F5 APM retrieve AD groups and resend using HTTP POST parameter

Dear all,   I am looking at a particular situation where an internal web server needs to know what kind of AD membership groups are assigned to a user that tries to login. The authentication only ...
ad
ad authentication
application delivery
BIG-IP Access Policy Manager (APM)
parameter
post
security
  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Dec 13, 2016

    Yes this is fairly simple. Use LTM+APM mode, and AD Query / AD Auth in your Access Policy. Set the "start uri" parameter to your backend app's URI, and use forms-based SSO (server-initiated) to fill in the resultant session variables from your AD Query into your form parameter. The groups will be in the form of a pipe-delimited list of the group DNs that came back from the query.

     

Lucas_Thompson_'s avatar
Lucas_Thompson_
Historic F5 Account

Yes this is fairly simple. Use LTM+APM mode, and AD Query / AD Auth in your Access Policy. Set the "start uri" parameter to your backend app's URI, and use forms-based SSO (server-initiated) to fill in the resultant session variables from your AD Query into your form parameter. The groups will be in the form of a pipe-delimited list of the group DNs that came back from the query.

 

Marvin's avatar
Marvin
Icon for Cirrocumulus rankCirrocumulus
Dec 28, 2016

Hi Lucas, I am working on this configuration, authentication works fine, also F5 APM receives AD group information. I configured SSO form profile similar to your example. In the APM log I see that policy result is allow, however I don´t see any HTTP POST being send by the SSO form funcionality.

 

I have properly applied the SSO profile to the Access policy. Do you have any idea how to find the cause?