Forum Discussion

mike_bailey_aws's avatar
mike_bailey_aws
Icon for Nimbostratus rankNimbostratus
Sep 15, 2020

iRule to bypass SSO/APM Policy

Working on a solution to implement OAuth SSO for an application with a URL redirect to an external logon page and this seems to be working with the APM policy.

But the server host more than one application and therefore some URIs need SSO applying and some do not. So essentially

App1 = SSO required

App2 = SSO not required

App 1 has multiple URLs:

https://myserver.net/App1/*

https://myserver.net/NewApp1/*

https://myserver.net/oauth/*

App2 has multiple URLs:

https://myserver.net/App2/*

https://myserver.net/auth/*

As stated the SSO APM policy applied to the Virtual Server was working but then had reports that App2 access was broken because users were being redirected to the external logon page.

So tried adding to the existing iRule applied to the virtual server a check for the App2 URLs and disabling access policy:

when HTTP_REQUEST {
    if { ( [string tolower [HTTP::uri]] starts_with "/app2" ) or 
        ( [string tolower [HTTP::uri]] starts_with "/auth" ) } {
    log local0. "User accessing App2 bypassing APM SSO policy for [HTTP::uri]"
    ACCESS::disable
    } 
}

Which seems to work but has a drawback as follows:

User accesses App1 first and APM policy applies, they logout of the app

User then accesses App2 and the log show my log message above and the Access policy is disabled so no SSO is applied

However if the user starts by accessing App2 and then tries App1, when they try to access App1 no policy is applied and they get 500 error message from the backend server as SSO hasn't been applied.

I'm assuming thats because by first accessing App1 the ACCESS::disable has stopped the policy applying and a TCP connection is open to the backend.

So I tried to add another part to the iRule to force the APM policy for App1 URIs:

when HTTP_REQUEST {
    if { ( [string tolower [HTTP::uri]] starts_with "/app2" ) or 
        ( [string tolower [HTTP::uri]] starts_with "/auth" ) } {
    log local0. "User accessing App2 bypassing APM SSO policy for [HTTP::uri]"
    ACCESS::disable
    } 

    if { ( [string tolower [HTTP::uri]] starts_with "/app1" ) or 
		    ( [string tolower [HTTP::uri]] starts_with "/newapp1" ) or
		    ( [string tolower [HTTP::uri]] starts_with "/oauth" ) } {
    log local0. "User accessing App1 enforcing APM SSO policy for [HTTP::uri]"
    ACCESS::enable
    } 
}


That doesn't seems to work, in testing I did get one hit on the log for "User accessing App1" but I can sit in the browser clearing the cache, deleting cookies, and repeatedly refreshing with the App1 URL and just get 500 errors from the backend.

So the iRule doesn't seem to be hitting for each new request, and the APM policy doesn't apply. No session shows in APM, seems to be the client has bypassed the APM policy.

Is there a better way to stop the APM policy for some URLs whilst forcing it for others even if a client has an active TCP connection?

No RepliesBe the first to reply