For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

SteveD1979's avatar
SteveD1979
Icon for Cirrostratus rankCirrostratus
Oct 31, 2022

Sending APM AD Query groups as a header

Hi I'm setting up an APM with Kerberos auth that also needs to authenticate group membership to the applications.  They application owners also need to see which groups the users are members of to kn...
devops
Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
Nov 04, 2022

Better play an test to make it work as I have not done this myself but you can also try session.ad.last.attr.primaryGroupID  https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-visual-policy-editor/per-request-policy-item-reference/about-per-req-authentication-items/about-ad-group-lookup.html

 

Other than that to make it more secure better use F5 Bearer SSO JWT sign in than HTTP header as F5 can provide the groups in the JWT token that is signed by an F5 Cert that the applications can also have.

 

https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/big-ip-access-policy-manager-single-sign-on-concepts-configuration-14-1-0/04.html

 

SteveD1979's avatar
SteveD1979
Icon for Cirrostratus rankCirrostratus
Jan 12, 2023

The only thing is I'm not using the primary group.  I'm changing the branch rule to branch rule 1 CN=AD group i'm checking against for membership and permissions to the application.