Forum Discussion

Marvin_129795's avatar
Marvin_129795
Icon for Nimbostratus rankNimbostratus
Dec 13, 2016

F5 APM retrieve AD groups and resend using HTTP POST parameter

Dear all,

 

I am looking at a particular situation where an internal web server needs to know what kind of AD membership groups are assigned to a user that tries to login. The authentication only takes place on the F5 APM and NOT on the internal server. The internal server only needs to verify AD group membership, but may not communicate to AD.

 

The idea is to:

 

  1. Create a login page using APM
  2. authenticate using username and password to AD
  3. Retrieve the AD group membership
  4. Include a POST parameter with these AD group membership information and send it to the internal webserver

Somebody already had a similar situation before?

 

ad
ad authentication
application delivery
BIG-IP Access Policy Manager (APM)
parameter
post
security
  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Dec 13, 2016

    Yes this is fairly simple. Use LTM+APM mode, and AD Query / AD Auth in your Access Policy. Set the "start uri" parameter to your backend app's URI, and use forms-based SSO (server-initiated) to fill in the resultant session variables from your AD Query into your form parameter. The groups will be in the form of a pipe-delimited list of the group DNs that came back from the query.

     

  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    Dec 13, 2016

    Yes this is fairly simple. Use LTM+APM mode, and AD Query / AD Auth in your Access Policy. Set the "start uri" parameter to your backend app's URI, and use forms-based SSO (server-initiated) to fill in the resultant session variables from your AD Query into your form parameter. The groups will be in the form of a pipe-delimited list of the group DNs that came back from the query.

     

    • Marvin's avatar
      Marvin
      Icon for Cirrocumulus rankCirrocumulus
      Jan 17, 2017

      Hi Lucas another question, there is still some tuning to do, like when the user logs off the session within the applciation it remains active on the F5 side.

       

      How can I make sure that the F5 will close the session when the client logs off within the application?

       

      Is it perhaps needed to change the portal type so it will show the F5 logoff button in the upper menu and the customer needs to logoff using the F5 logoff button. In LTM+APM mode I don't see this menu bar.

       

      Any ideas?

       

    • Lucas_Thompson_'s avatar
      Lucas_Thompson_
      Historic F5 Account
      Dec 29, 2016

      Great! Thanks for reporting back. You can use that curly brace in a lot of different places in APM for session variable substitution. It's pretty useful for different stuff.

       

  • Dan_73594's avatar
    Dan_73594
    Historic F5 Account
    Dec 13, 2016

    Hi Marvin,

     

    Is this to say the first request to the backend server must be a POST, and that POST must contain AD group membership?

     

    Dan