For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

drumik_61546's avatar
drumik_61546
Icon for Nimbostratus rankNimbostratus
Dec 19, 2014

needs to some help with IRule that will assign sso

I'm trying to figure out a cleaner way to redirect clients when they try to access web page directly without login first to the portal   Setup:   2 portal pages and 2 domains 2 internal applica...
301 redirect
BIG-IP Access Policy Manager (APM)
security
websso
Michael_Jenkins's avatar
Michael_Jenkins
Icon for Cirrostratus rankCirrostratus
Dec 19, 2014

The way that I've done it in our environment is the check for a valid APM session on each request. If there's no valid session, then redirect the user. 

when HTTP_REQUEST {
    if { not ([ACCESS::policy result] equals "allow") } {
        HTTP::respond 302 "http://something.org" "Connection" "Close"
    }
}

You could also perform a cookie check for MRHSession and LastMRH_Session cookies, which contain the session id for the APM session. If those don't exist, you know there's no valid session.

if { not ([HTTP::cookie exists "MRHSession"] || [HTTP::cookie exists "LastMRH_Session"]) } {
    HTTP::respond 302 "http://something.org" "Connection" "Close"
}

This is a very basic way of checking, but should be effective. the 

[ACCESS::policy result]
will be 
"allow", "deny" or ""
from what I've seen. So you could make the checks more complex if necessary, but this should give you an idea.

You can check out the this link for more info on ACCESS::session.