Forum Discussion
NimbostratusHow to use APM external logon pages?
Hi, I need to authenticate users accessing to my web application. To do that i'm using an authentication profile with the built-in logon page (linked with a radius server). It's working perfectly. But for design purposes, i need to use an authentication form specilly designed for my web application (css, fonts, ...). I can't do that with the built-in logon page. So i would use an external logon page to do that (just to externalizing the html form, but not for externalizing the authentication process which must be managed by the F5 APM). I read documentation about external logon pages ( http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-config-11-4-0/apm_config_general_actions.html195539 ) but it's not very clear for me. Can you give me some exemples of external logon pages implementation? Does i need to add an irules to capture and pass variables (user and password) to the F5 APM anthentication process? (because my external form will just present the html form, but will not do the authentication). Thank you for your help. Vincent
8 Replies
kmurphy_130520How would this solution differ if the backend server (http://logon.acme.com/ in this case) was the one performing the authentication and not the F5?
Is there a way for APM to still capture the username that was entered on the external logon page?
- kmurphy_130520
Any ideas on this? Thanks
Mark_van_DCirrostratus
As long as after a successful authentication the backend server posts the username back to my.policy it should work. If you need to capture anything other than username/password you will need to use an irule and use: ACCESS::restrict_irule_events disable.
Out of curiosity what are you trying to do?
- kmurphy_130520
I'm trying to capture the username inputted on a backend login page and store it in an APM session. I don't have the ability to change the POST action on the web application, so it can't be posted directly back to my.policy.
I'm currently trying to achieve this with an iRule but no luck yet...
- kmurphy_130520
To anyone else looking to achieve this, I was able to do it using an iRule provided by an F5 resource:
start of irulewhen RULE_INIT { must recognize attempts to login to application (e.g., CareLink) set static::login_action "/EpicCareLink/common/epic_check.asp" set static::uid_field "Account_ID" }
when HTTP_REQUEST { set savecreds false if {([HTTP::uri] eq $static::login_action) && ([HTTP::method] eq "POST")} { client is attempting application login, so we will save the username set savecreds true set uid "" set clen [HTTP::header Content-Length] set clen [expr {(($clen eq "") || ($clen > 10240)) ? 10240 : $clen}] if {$clen > 0} { HTTP::collect $clen } return } }
when HTTP_REQUEST_DATA { foreach field [split [HTTP::payload] "&"] { foreach {n v} [split $field "="] { if {$n eq $static::uid_field} { set uid [URI::decode $v] } } if {$uid ne ""} { break } } HTTP::release }
when ACCESS_ACL_ALLOWED { if { $savecreds } { ACCESS::session data set session.custom.carelinkusername $uid } }
end of irule- kmurphy_130520sorry the format was absolutely butchered there. If a moderator could edit that into a code block that'd be great. Thanks
when RULE_INIT { must recognize attempts to login to application (e.g., CareLink) set static::login_action "/EpicCareLink/common/epic_check.asp" set static::uid_field "Account_ID" } when HTTP_REQUEST { set savecreds false if {([HTTP::uri] eq $static::login_action) && ([HTTP::method] eq "POST")} { client is attempting application login, so we will save the username set savecreds true set uid "" set clen [HTTP::header Content-Length] set clen [expr {(($clen eq "") || ($clen > 10240)) ? 10240 : $clen}] if {$clen > 0} { HTTP::collect $clen } return } } when HTTP_REQUEST_DATA { foreach field [split [HTTP::payload] "&"] { foreach {n v} [split $field "="] { if {$n eq $static::uid_field} { set uid [URI::decode $v] } } if {$uid ne ""} { break } } HTTP::release } when ACCESS_ACL_ALLOWED { if { $savecreds } { ACCESS::session data set session.custom.carelinkusername $uid } }
brad_11480when RULE_INIT { must recognize attempts to login to application (e.g., CareLink) set static::login_action "/EpicCareLink/common/epic_check.asp" set static::uid_field "Account_ID" } when HTTP_REQUEST { set savecreds false if {([HTTP::uri] eq $static::login_action) && ([HTTP::method] eq "POST")} { client is attempting application login, so we will save the username set savecreds true set uid "" set clen [HTTP::header Content-Length] set clen [expr {(($clen eq "") || ($clen > 10240)) ? 10240 : $clen}] if {$clen > 0} { HTTP::collect $clen } return } } when HTTP_REQUEST_DATA { foreach field [split [HTTP::payload] "&"] { foreach {n v} [split $field "="] { if {$n eq $static::uid_field} { set uid [URI::decode $v] } } if {$uid ne ""} { break } } HTTP::release } when ACCESS_ACL_ALLOWED { if { $savecreds } { ACCESS::session data set session.custom.carelinkusername $uid } }
