Forum Discussion
eparillo_27359
Nimbostratus
NimbostratusOracle SSO/OID with Access Manger
have a new website going into production; this website is accessible from my company’s internal network and also publicly. Now I am pretty new to irules but I believe I can create one to solve my problem.
Let’s say I have foo.parillo.com when a user hits the url it immediately redirects to a login form, the user logs in & its all good.
Now internal user hits foo.parillo.com Oracle Application Server redirects to SSO and SSO redirect to OAM (Oracle Access Manager (oblix)) which runs an asp to natively authenticate them to the site without prompting the user for username and password.
The problem with this process is that ASP doesn’t know what was the original url the user wanted in the first place so right now the ASP has a hard coded URL in it and this causes problems for our internal users especially when they have a link they want to goto.
So I need to test for a cookie to see if internal user is already logged and if so just go to that http request, if no cookie I need to redirect the internal user to the native authentication asp with an http header of the original URL the user wanted in the first place. Then within the ASP we can redirect the user to the requested url.
- I suppose some clarification of the traffic flow there would be helpful.
User requests URI on foo.
Response from foo is an HTTP redirect to SSO.
Response from SSO is an HTTP redirect to OAM.
Response from OAM is an HTTP redirect to a hardcoded URI, rather than the originally-requested URI.
Is that accurate?
And are all 3 hosts (foo, SSO, OAM) are load balanced by LTM?
/deb 
billybob_jcv_10I work with eparillo (Hi Ed!) - let me take it up a level and provide the functional requirements. In reality, we don't care about the asp script or the headers - we really just need to be able to get 2 types of users authenticated before they are sent to their requested URI. Here's the use case:
We have 2 types of users, "external" & "internal". Both can request a page from foo.com.
For the external user, on their first request, the external user is sent to a login form and upon successful login, is provided an authentication cookie and sent on to his originally requested page. The page the user requested physically sits on a server in our domain at xxx.corp.com. Subsequent http requests are checked for a valid auth cookie and sent to xxx.corp.com. We have this working - all is good.
For the internal user, on their first request, the internal user needs to NOT be sent to the login page - they need to be sent to a page on a different server (yyy.corp.com) that will provide them an auth cookie via integrated windows authentication (IWA). After successfully getting the auth cookie, they need to be sent along to the originally requested page at xxx.corp.com.
All URIs seen by the client need to remain as foo.com NOT xxx.corp.com. We know how to get the authentication pieces - we have IWA and the login form working to return the correct auth cookie (this is based on the Oracle Identity Management suite). What we don't know how to do is have an iRule that can figure out how to handle the internal user's need to hit the yyy.corp.com server so that the IAW will provide the auth cookie THEN after you have the auth cookie, redirect to the originally requested page on xxx.corp.com.
Does this make sense?- billybob_jcv_10Can anyone help with the iRule code?
