For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Rosieodonell's avatar
Rosieodonell
Icon for Cirrus rankCirrus
Feb 11, 2020
Solved

Help with Access policy and embedded links asking for login again

Hey Everyone,

I have virtual server that has a log in page (webpage A) that request AD authentication and 2 factor for a user. It opens up to a SharePoint site and on one of the SharePoint pages it has a "URL" that points to another location (webpage B) on another pool. I have an irule that looks like this for the virtual server:

when HTTP_REQUEST {
 if {[info exists accessbypass] && ($accessbypass equals "1") && [string tolower [HTTP::host]] starts_with "webpageB"} {
   ACCESS::disable
   pool webpageB_80_pool
 } elseif {[string tolower [HTTP::host]] starts_with "webpageB"}{
   ACCESS::enable
   pool webpageB_80_pool
   set accessbypass 1
 } else {
   ACCESS::enable
   set accessbypass 1
 }
}

So basically when a user logs into webpageA they get the prompt and sign in fine. they then click on the link on webpageA to webpageB and get prompted for a sign in again. I want it to not prompt the user for a log-in if they have already signed into webpageA and get redirected to webpageB. However if they go directly to webpageB i want to have them sign in. This traffic is all on the same virtual server. I have tried setting the "profile scope" to virtual server and global but that didn't help.

Hopefully someone has a suggestion to help me?

application delivery
BIG-IP Access Policy Manager (APM)
iRules
  • Rosieodonell's avatar
    Rosieodonell
    Feb 12, 2020

    Hey Everyone,

     

    i did a different work around to make this work. I used a rewrite profile and a irule to fix my issue. The rewrite profile allowed me to rewrite the traffic if the users had a link that started with the following:

     

    https://webpageA.company.com/loginportal/

     

    and changed the traffic to:

     

    http://webpageB.company.com/

     

    on the back end. It would then leave all the remaining webpageA traffic alone. Same with the irule:

     

    when HTTP_REQUEST {

      switch -glob -- [string tolower [HTTP::uri]] {

        "/loginportal" -

        "/loginportal/*" {

          pool webpageB_80_pool

        }

        "*CONTAINS*" {}

        "STARTSWITH*" {}

        "*ENDSWITH" {}       

      }

    }

     

    All the normal webpageA traffic worked fine but the traffic with the URL link "loginportal/" went to the new pool correctly. Just wanted to share what i did to fix it and not leave a question up in devcentral.

1 Reply

  • Rosieodonell's avatar
    Rosieodonell
    Icon for Cirrus rankCirrus
    Feb 12, 2020

    Hey Everyone,

     

    i did a different work around to make this work. I used a rewrite profile and a irule to fix my issue. The rewrite profile allowed me to rewrite the traffic if the users had a link that started with the following:

     

    https://webpageA.company.com/loginportal/

     

    and changed the traffic to:

     

    http://webpageB.company.com/

     

    on the back end. It would then leave all the remaining webpageA traffic alone. Same with the irule:

     

    when HTTP_REQUEST {

      switch -glob -- [string tolower [HTTP::uri]] {

        "/loginportal" -

        "/loginportal/*" {

          pool webpageB_80_pool

        }

        "*CONTAINS*" {}

        "STARTSWITH*" {}

        "*ENDSWITH" {}       

      }

    }

     

    All the normal webpageA traffic worked fine but the traffic with the URL link "loginportal/" went to the new pool correctly. Just wanted to share what i did to fix it and not leave a question up in devcentral.

Related Content