Forum Discussion
CirrusRedirect to external website through APM based on AD group membership.
I have an issue where I am need to direct users to a separate login page if they are members are a particular AD group. We are wanting to test SAML SSO in Prod for a particular cloud application we use. If the user goes to https:\cloudapp.com, the SSO will kick in and authenticate them, however, we want it so that if the user is not part of the cloudapp SSO group, they are redirected to https:\cloudapp.com\login, which then prompts for cloudapp credentials.
I have this somewhat setup within my access policy. It does an AD Query and if the user is in the group, completes SSO. IF the user is not in the group, it directs to an External Logon Page pointing to https:\cloudapp.com\login.
The problem I am running into is that when the users is sent to the external logon, it attempts the correct URL, but just displays {"error":{"message":"That username\/password combination wasn't quite right. Make sure your caps lock isn't on and try again."}}
If i copy and paste the url in the same session, it instantly pops up. Does using the External Logon Page within APM pass username/password in the headers? If so, is there a way to prevent this.
Thanks,
Mike
1 Reply
mike_drennen_16I was able to find a solution to this using an iRule.
when ACCESS_POLICY_COMPLETED { set workfront_redirect "" set memberOfList [split [ACCESS::session data get session.ad.last.attr.memberOf] "|"] foreach x $memberOfList { if { [class match [string trim $x] equals workfront_datagroup]} { set workfront_redirect "true" } } if { $workfront_redirect eq "" } { ACCESS::respond 302 noserver Location "https://mrc.cr1.attasksandbox.com/login" } }I was unable to call HTTP::redirect from within ACCESS_POLICY_COMPLETED, that's why I had to use the workaround with a 302 response.
