F5 newbie - trying to work things out - help :)

Thanks, i think I have done that . Sorry I am new to the F5 and the terminology

so i created these VS

• auth.xyz.com .. .this is the url for the shared SSO - multidomain
• auth.xyz.com_redirect so http -> https
• demo.xyz.com . this is really an empty config - no resources - but I currently have 2 addons (1-irule set and 2 policy rule) I am doing both for testing not sure which is the preferred (best practice), I can see that the irule is very flexible
• demo.xyz.com_redirect http->https
• demo.xyz.com_default ... this is the default VS from the empty one above - for irule I use a switch to decide which vs to use based upon uri and I have a policy which does the same - both have a catch all at the bottom that sends it to this vs
• demo.xyz.com_case2 ... this is the vs that handles /testsso/validsso, basically it wants a valid sso token. this is where I am stuck

so on auth.xyz.com & demo.xyz.com_case2 i have SSO attached - same one setup as multidomain.

I have a per session access rule in place for both of them. although different.

for auth it setup login page and does a ad login and save the variables to the sso tokens.

for demo.xyz.com_case2 it has its own pre session access profile - which basically just does the sso token task, this sends it to the login url - https://auth.xyz.com, that works, once logged in it uses the F5Networks-SSO-Resp mechanism to go from auth to demo.

So this is me guessing, but demo vs the shell one takes that and sends it to the demo_default vs, which doesn't have a access profile associated with it, so it fails !

I don't want a access profile attached to the default as I want people to come there with out a sso token..

so what I have done in the irule and also the ltm policy is redirect demo/F5Networks-SSO-Resp to auth/F5Networks-SSO-Resp and that works.

I would write a irule to do it myself with out the redirect but I don't know how and I wouldn't know how to do it in the ltm policy - I am guessing a TCL command ?

I have a quick look at the documents - but I believe I have done what they are suggesting - or I am missing something - think we getting around the terminology.

I was thinking maybe just add an access policy to the demo_default vs

also I believe I have set both the auth access policy to global and the demo_case2 to global ?

thanks for the input

still lost, not 100% of the next steps, to do it the F5 way

 EDIT

Creating a BIG-IP ASM security policy and applying it to the layered virtual server

Impact of procedure: Performing the following procedure should not have a negative impact on the system.

To create the server, perform the appropriate procedures outlined in the following F5 manuals:

• For BIG-IP ASM 13.x and 14.x, refer to the Creating a Simple Security Policy chapter of the BIG-IP Application Security Manager: Getting Started manual.

I tried to follow this, but I can't do that under my security main menu I only have cloud services !

in fact most of the steps below that I can't do

from this article https://support.f5.com/csp/article/K13315545

Am i missing something - I am on 15.1

EDIT #2

I found on the licensing page, that the ASM module didn't look like it was enabled, so I have enabled it ... maybe thats what I have been missing !

EDIT #3

turning on ASM module - after reboot - I had lost all of my work :( time for a break... sigh

EDIT #4

so rebuilt it.

vs_base -> this has the ASM attached to it

prolicy route for validsso to a new vs

The sso works, but its still not processing the F5Networks-SSO-Rep uri :(