For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

tiwang's avatar
tiwang
Icon for Nimbostratus rankNimbostratus
Jun 07, 2013

SSO for webserver

Hi out there     I need an idea how I can awoid my users in cheating me.   I have a SSO setup where I through a client initiated webform do a SSO login to a webserver. After this the APM j...
config
design
tiwang's avatar
tiwang
Icon for Nimbostratus rankNimbostratus
Jun 13, 2013
Hi Kevin

 

1 - the applications logon page is in fact distinct - it is implemented i ./default.htm - they do not have to access this unless to logon-attempts.

 

 

2 - the sso profile should be perpetual - ehh - now am I on a bit deep water - I expected that when the SSO profile has done its job the apm module would not be waked up again before a new fresh login - can I keep the apm module watch the session?

 

 

The SSO profile is in fact pretty simple - from the F5 logon page i fetch username and password and looks for the logon form in the response from the webserver where it uses this for the logon to the webserver (in fact - it is not a logon but username and password is used in the back-stage sql server)

 

The section in the SSO profile looks like this - more "Validforms" exist but similar:

 

 

apm sso form-basedv2 /Country_dmz/Country_Server1_sso {

 

description "SSO form for Server1"

 

forms {

 

Validform_ecom_Country {

 

attribute-value Validform

 

controls {

 

PASSWORD {

 

secure true

 

value "%{session.sso.token.last.password}"

 

}

 

UserGroupId {

 

value "%{session.sso.token.last.username}"

 

}

 

}

 

id-type name

 

request-name referer

 

request-type header

 

request-value https://ecom.corp.Country/my.policy

 

}