Forum Discussion
Alexander_Slink
Altostratus
AltostratusKerberos auth and Kerberos sso.
Hello everyone!
I have backend server which authenticate clients by kerberos. And I want add F5 APM between clients and end server, so my question is: can I configure APM to authenticate clients on virtual server using kerberos and then using kerberos sso to authenticate clients on backend server? If yes, which steps I need to do?
Thanks!
Check out the APM Cookbook: Single Sign On (SSO) using Kerberos:
- Kevin_Stewart
Employee
Client side (AAA) and server side (SSO) APM authentication functions generally require a set of inputs and produce a set of outputs. So combing client side and server side APM Kerberos is simply a matter of matching AAA outputs to SSO inputs.
So for example, AM Kerberos AAA takes as input a Kerberos ticket, which it validates, and if successful produces a session variable: session.logon.last.username, which is in the form of a userPrincipalName (ex. bob@DOMAIN.COM). It produces a few other session variables, but none of them are really useful for this exercise.
APM Kerberos SSO requires as input
- A username - defined in the "Username Source" setting in the SSO profile
- A domain - defined in the "User Realm Source" setting in the SSL profile
So basically to make Kerberos AAA and SSO work together, you need to take the AAA userPrincipalName output, and split it into separate username and domain values. You can do this in an iRule or in a visual policy variable assignment agent:
session.sso.token.last.username = return [lindex [split [mcget {session.logon.last.username}] "@"] 0] session.logon.last.domain = return [lindex [split [mcget {session.logon.last.username}] "@"] 1]These are the default user and domain source session variables in the Kerberos SSO profile. The [lindex [split ]] command separates the UPN into a list of two entries, separated at the "@" sign, and then consumes either the first value (index 0), or second value (index 1).
