For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

michael_61082's avatar
michael_61082
Icon for Nimbostratus rankNimbostratus
May 08, 2010

Single Sign On - Cookie + Basic Auth

I am currently using an ISAPI filter, basic authentication, and a cookie to achieve single sign on for a portfolio of web applications/servers. I'd like to be able to cut out the ISAPI filter for ease of maintenance and expanding support across non-IIS web servers.

 

 

Has anyone used an iRule to simulate a "forms" based type of authentication over multiple web servers? I am think the iRule could do something like this:

 

 

- Check for existence of login cookie

 

- No cookie - 302 to anonymous login page (SSL)

 

- User submits login (validate against LDAP) creates two cookies - "login cookie" and "auth cookie" (base64 encoded user/password)

 

- "login cookie" exists - check for "auth cookie"

 

- "auth cookie" is appended as WWW-Authenticate

 

-no "auth cookie", send 401 to client

 

-on error - 401 to client

 

 

Does this seem like something an iRule could do? I am a complete beginner on iRules - any help would be great!!

 

 

application delivery
dev
devops
iRules

2 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    May 11, 2010
    Hi Michael,

     

     

    That seems fairly reasonable to achieve in an iRule. I don't think it would be a simple iRule to start with though. If you want LTM to authenticate the client requests against an LDAP database, you'd need to get the Advanced Client Authentication module. You can check with an F5 salesperson or partner to find out how much that would cost (http://www.f5.com/howtobuy).

     

     

    One small note: base64 encoding wouldn't encrypt or secure the username/password. If you want to store the user/pass in a reversible form in a cookie, you'd probably want to encrypt, base64 encode and then URL encode the values.

     

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/AES__encrypt.html

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/b64encode

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/uri__encode

     

     

    Aaron
  • michael_61082's avatar
    michael_61082
    Icon for Nimbostratus rankNimbostratus
    May 12, 2010

    I was planning on the anonymous logon page to verify against LDAP and set cookie[s] based on the response from the web server.

     

    Is "AUTH_WANTCREDENTIAL" the correct event to "intercept" the 401 challenge to the browser?

     

     

    I was thinking something like this...

     

    when AUTH_WANTCREDENTIAL {

     

     

    Logic to check for cookie set on "login" page

     

     

    IF Cookie Not Found

     

     

    HTTP::respond 302 Location ]

     

     

    }