SSO failure should cause reject

Question

hi out there&nbsp;
I have a simple problem (probably) - defined a kerberos based sso where - if the sso fails - also connects the user to the webserver where i expected it to reject the client instead but this it doesn't - probably a misunderstanding of the concept.
If the SSO fails what do I need to do to reject the client? define a irule on the ltm which then somehow rejects the client ?
Can I test on a variable of the SSO is successfully? and if so - how do I reject the client?&nbsp;
best regards /ti&nbsp;

kunjan · Answer

For the Kerberos, the server is requesting for credentials, which if SSO configured is provided by the APM. If it doesn't, you should see the user prompt asking to key in the credentials. 
&nbsp; &nbsp;
So now if you don't see means, either back end server is not configured for it, or the client browser is automatically providing it . For the client browser to provide , either user has logged to the domain from a domain joined machine or you might have a saved log in information. &nbsp;

tiwang · Answer

hi Again
yes but - see - I get the user-credentials from a certificate and get a kerberos token from the domain controller (KDC) - if it fails in getting the ticket for some reason I would like it to be rejected - just as a extra guard - not connected to the server. Doesn't we get a flag set somewhere that the SSO has failed and this could we then make use of in a irule which could be used to redirect it to another site?
best regards /ti&nbsp;

tiwang · Answer

hi Again
yes but - see - I get the user-credentials from a certificate and get a kerberos token from the domain controller (KDC) - if it fails in getting the ticket for some reason I would like it to be rejected - just as a extra guard - not connected to the server. Doesn't we get a flag set somewhere that the SSO has failed and this could we then make use of in a irule which could be used to redirect it to another site?
best regards /ti&nbsp;

tiwang · Answer

hi Again
yes but - see - I get the user-credentials from a certificate and get a kerberos token from the domain controller (KDC) - if it fails in getting the ticket for some reason I would like it to be rejected - just as a extra guard - not connected to the server. Doesn't we get a flag set somewhere that the SSO has failed and this could we then make use of in a irule which could be used to redirect it to another site?
best regards /ti&nbsp;

kunjan · Answer

The result is flagged in this session variable: &nbsp;&nbsp;
session.logon.last.username.sso.state- This is set to 1 internally when Kerberos SSO fails. When this variable is set, all subsequent requests are passed to the application server without applying SSO for the remainder of the user session. The variable name is constructed by appending .sso.state to the name specified in Username Source.&nbsp;
http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/24.html&nbsp;

Forum Discussion

SSO failure should cause reject

6 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Failing over Virtual F5 VE to DR location using Zerto

Failing over of a Virtual F5 configuration to another location using Zerto restore process

F5 Networks F5CAB1 Exam - Need Help Regarding Prep

Username is not filled in EdgeClient in the Modern customization

The GSLB pool is providing an incorrect IP to end users

Related Content

Terraform apply failures - loadbalancer_type.https.port_choice

Mitigating OWASP Web Application Risk: Cryptographic Failures using F5 BIG-IP

Mitigating OWASP Web Application Risk: Identification and Authentication Failure using BIG-IP

Monitoring Failure OAuth request

Mitigating OWASP Web Application Risk: Security Logging & Monitoring Failures using F5 BIG-IP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS