Forum Discussion

AlexS_yb's avatar
AlexS_yb
Icon for Cirrocumulus rankCirrocumulus
Mar 19, 2021

F5 newbie - trying to work things out - help :)

Hi     my current poc ( first stages – main bit)   Web site https://demo.XYZ.com   With these url test • /testsso/unprotected - No protection - just to check the SSO - there is no nee...
BIG-IP
LTM
security
AlexS_yb's avatar
AlexS_yb
Icon for Cirrocumulus rankCirrocumulus

Thanks for all your help. That last document is about where I started from.

 

I think my next step is to try apply APM to the dem.xyz.com_default vs and some how allow any access

 

Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
Mar 22, 2021

You just need to add the same SSO object and add only allow action at the end of it in the access policy (the main access profile and the one for the default VIP need to be with a scope global) or better yet you can just add the same profile with a profile scope "Profile" for demo.xyz.com_secret and demo.xyz.com_default and when the user logs in demo.xyz.com_secret after that they try to access the demo.xyz.com_default, they will not need to again pass the profile checks as there is a created session for the user when they accessed demo.xyz.com_secret :) Test it out lab it out and it will work.

 

AskF5 | Manual Chapter: Understanding Access Policies

 

 

 

With ASM enforce login page you will block the users from first trying to enter demo.xyz.com_default before demo.xyz.com_secret

 

 

AskF5 | Manual Chapter: Creating Login Pages for Secure Application Access

 

 

F5 has trial license for Vmware so test it in your hope. Also go to learn F5 and pass the getting started for ASM/APM and if needed LTM:

 

LearnF5

 

 

Also check the operations guides they are great:

 

 

https://support.f5.com/csp/article/K73819494

  • AlexS_yb's avatar
    AlexS_yb
    Icon for Cirrocumulus rankCirrocumulus
    Mar 22, 2021

    Hi

     

    I'm a bit lost here.

     

    "

     With ASM enforce login page you will block the users from first trying to enter demo.xyz.com_default before demo.xyz.com_secret

     "

     

    But I don't want people to have to login to access the site by default - only some uri.

     

     

    Let me rephrase it back to you

    vs-auth << main auth ltm prolicy to vs-auth-apm

    vs-auth-apm has apm attached

     

    vs-demo << main vs, using irule to send to other vs. also a policy profile that turns on ASM with a profile

     

    vs-demo-default << all the default traffic , no access profile - nothing special

     

    vs-demo-validsso << has access profile . policy is start -> sso variable -> accept

    This sort of works, the F5NetworkSSO uri still doesn't work not picked up by vs-demo or vs-demo-default. right now I map this to vs vs-auth or vs-demo-validsso not the best but

     

    vs-demo-validip << has access profile and per request profile ... it fails (by design to test). the fail page fails . even when i map the url to vs-auth or vs-demo-validsso it fails, seems like it is only process properly by vs-demo-validip

     

    sso is setup as multidomain and all the access profiles (per session) are setup as global.

     

     

    So ... what I am trying to do is insert into the headers what vs the call was from so I can map /public /vdesk /F5Networks back to that vs. not ideal, in fact rather bad as i would think it should just work... but ..