Forum Discussion

kris_52344's avatar
kris_52344
Icon for Nimbostratus rankNimbostratus
Mar 24, 2009

SSO authentication for web server with iRule

Here i use Client Auth Using Http Cookie iRule

 

----------------------------------

 

when CLIENT_ACCEPTED {

 

set authinsck 0

 

set forceauth 1

 

set ckname BIGXAUTH

 

set ckpass 1xxx5678

 

set ckvalue [IP::client_addr]

 

set ckdomain .Acme.com

 

set asid [AUTH::start pam default_ldap]

 

}

 

when HTTP_REQUEST {

 

if {[HTTP::cookie exists $ckname]} {

 

HTTP::cookie decrypt $ckname $ckpass 128

 

if {[HTTP::cookie value $ckname] eq $ckvalue} {

 

set forceauth 0

 

}

 

HTTP::cookie remove $ckname

 

}

 

if {$forceauth eq 1} {

 

AUTH::username_credential $asid [HTTP::username]

 

AUTH::password_credential $asid [HTTP::password]

 

AUTH::authenticate $asid

 

HTTP::collect

 

}

 

}

 

when HTTP_RESPONSE {

 

if {$authinsck eq 1} {

 

HTTP::cookie insert name $ckname value $ckvalue path / domain $ckdomain

 

HTTP::cookie secure $ckname enable

 

HTTP::cookie encrypt $ckname $ckpass 128

 

}

 

}

 

when AUTH_SUCCESS {

 

if {$asid eq [AUTH::last_event_session_id]} {

 

set authinsck 1

 

HTTP::release

 

}

 

}

 

when AUTH_FAILURE {

 

if {$asid eq [AUTH::last_event_session_id]} {

 

HTTP::respond 401 "WWW-Authenticate" "Basic realm=\"\""

 

}

 

}

 

when AUTH_WANTCREDENTIAL {

 

if {$asid eq [AUTH::last_event_session_id]} {

 

HTTP::respond 401 "WWW-Authenticate" "Basic realm=\"\""

 

}

 

}

 

when AUTH_ERROR {

 

if {$asid eq [AUTH::last_event_session_id]} {

 

HTTP::respond 401

 

}

 

}

 

--------------------------------------------

 

This Irule use for ldap auth.

 

I create Acme.com domain

 

So what changes required for cookie name & password & domain for successfull Auth using HTTP cookie

 

 

application delivery
dev
devops
iRules

2 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 24, 2009
    Did you test the above rule? If so, what were the results?

     

     

    The above iRule gets the username and password from the basic auth header. If you want to parse the username and password from a different component, you could replace [HTTP::username] and [HTTP::password] with the commands you use to parse the user/pass.

     

     

    If I've missed your question, can you elaborate on what you're trying to accomplish, what you've tried and what's not working?

     

     

    Thanks,

     

    Aaron
  • kris_52344's avatar
    kris_52344
    Icon for Nimbostratus rankNimbostratus
    Mar 30, 2009
    i want to impliment single sign-on for the ldap authentication so whether that iRule is working fine or not

     

    and if yes then what chngesg i have to do in that iRule

     

    for cookie name, password and domain