Forum Discussion
NimbostratusInject client Authorization Header Into APM sso variables
Hi, I am trying to get the authorization header from a client request and inject the credentials into the APM SSO variables. (The client is a web server). I am pretty new to APM and its internals. I thought an iRule something like this would work:
when HTTP_REQUEST {
ACCESS::session data set "session.logon.last.username" [HTTP::username]
ACCESS::session data set "session.logon.last.password" [HTTP::password]
}
But I see no username in the APM session report where I would expect to see one.
Here is the policy:
And the SSO piece of the policy where I think it should grab the injected session variables from:
The response back to the client is:
BIG-IP logout page "....Access was denied by the access policy.."APM Session Report:
2014-05-28 08:34:11
Received User-Agent header: Mozilla%2f5.0%20(X11%3b%20Linux%20x86_64)%20AppleWebKit%2f537.36%20(KHTML%2c%20like%20Gecko)%20Chrome%2f35.0.1916.114%20Safari%2f537.36.
2014-05-28 08:34:11
Received client info - Type: Mozilla Version: 1 Platform: Linux CPU: unknown UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 1
2014-05-28 08:34:11
New session from client IP 10.x.x.x (ST=/CC=/C=) at VIP 10.x.x.x Listener /Common/vs_xxx-dev.xxx.org_HTTPS (Reputation=Unknown)
2014-05-28 08:34:11
Following rule 'fallback' from item 'AD Auth' to terminalout 'Failure'
2014-05-28 08:34:11
Following rule 'Failure' from item 'AD auth and resources' to ending 'Deny'
2014-05-28 08:34:11
Access policy result: Logon_Deny
2014-05-28 08:34:15
\N: Session deleted due to user logout request.
I would expect to see the username injected and logged even before the AD failure.
6 Replies
kunjanThis iRule won't triggered until APM policy is completed. Instead you can use 'Variable Assign' in the VPE before AD auth for those variables, username and password.
- bfrancom_123272Thank you for the quick response. So you can pull the credentials from the client request authorization header in Variable Assign? If so, how? It's not liking my header parsing commands, e.g.) session.logon.last.username = set username [HTTP::username] return $username The error is: Rule evaluation failed with error: invalid command name "HTTP::username" Thanks!
kunjan_118660Cumulonimbus
This iRule won't triggered until APM policy is completed. Instead you can use 'Variable Assign' in the VPE before AD auth for those variables, username and password.
- bfrancom_123272Thank you for the quick response. So you can pull the credentials from the client request authorization header in Variable Assign? If so, how? It's not liking my header parsing commands, e.g.) session.logon.last.username = set username [HTTP::username] return $username The error is: Rule evaluation failed with error: invalid command name "HTTP::username" Thanks!
- bfrancom_123272Wow. Having a very difficult time editing/reformatting my question. Sorry about this, I've contacted F5.
- bfrancom_123272
I got it to work with help from our internal F5 engineer! Thanks Mike! Just change the event in the iRule to "ACCESS_SESSION_STARTED", and needed to trim the string e.g):
when ACCESS_SESSION_STARTED { ACCESS::session data set "session.logon.last.username" [string trim [HTTP::username]] ACCESS::session data set "session.logon.last.password" [string trim [HTTP::password]] }Also did not require the 1st SSO credential mapping in the VPE. AD takes the parameters from the iRule above without anything in betwixt.
