For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

yves_werniers_1's avatar
yves_werniers_1
Icon for Nimbostratus rankNimbostratus
Jul 17, 2014

Send credentials to backend servers through APM

Hello,

 

I have a Virtual Server on F5 APM to be used as reverse proxy. It is protecting a website that uses many different applications and backend servers. Some of those applications are publicly accessible and for some you need to login first. I have linked an irule to the VS to enable or disable the policy (access::disable for the public resources). As one of the steps in the access policy, I use an SSO credential mapping (basic auth) to be able to send an authorization header to the backend servers. This only sends the header if it is a protected resource, because I do access::disable for the public resources. I would, however, like to send the authorization header to the backend if the user has an authenticated session, regardless if the resource is public or protected.

 

Does anyone have any idea about how to acheive this?

 

Thanks in Advance, Yves

 

BIG-IP Access Policy Manager (APM)
security

4 Replies

  • Matt_Dierick's avatar
    Matt_Dierick
    Icon for Employee rankEmployee
    Jul 17, 2014

    Bonjour Yves,

     

    You can use the command WEBSSO::enable or disable. This command will enable the SSO on the policy or not. Of course, policy must be enable to make it works. If policy is disable, APM is disable for the user session --> so no SSO.

     

    Hope this help Matt

     

  • yves_werniers_1's avatar
    yves_werniers_1
    Icon for Nimbostratus rankNimbostratus
    Jul 17, 2014

    Matt,

     

    That would mean all resources require to login if access::enable. What I am really looking for is a way to enable websso without enabling access.

     

    Yves

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 17, 2014

    This is a little different than your specific question, but I think it might be useful. The idea in the iRule below is that you disable the access policy until the user accesses a protected URI (defined in a string-based data group). Once the access policy has been initiated, all subsequent requests go through the completed access policy regardless of requested URI. 

    when HTTP_REQUEST {
    if { ( [HTTP::cookie exists MRHSession] ) or ( [class match [string tolower [HTTP::uri]] starts_with my_private_uris] ) } {
        return
    } else {
        ACCESS::disable
        return
    }
}

    You would then just apply the SSO profile to the access policy.

  • yves_werniers_1's avatar
    yves_werniers_1
    Icon for Nimbostratus rankNimbostratus
    Jul 18, 2014

    Kevin,

     

    This is a very elegant solution that works just fine. This does everything I was looking for. Thanks a lot!