SSO for webserver

Hi again Kevin

 

OK - changed the Client initiated SSO Detect form to URI and just entered

 

/ and /default.htm

 

and looks as if it works - now I cannot cheat the logon form any more but get "auto-logged" on.

 

On the right part of the window in the F5 GUI there is "Headers in the SSO Configuration" - when would they be used?

 

 

btw - when I am running in the application the username and password is displayed in clear text as part of the URL - they are used as parameters directly to the database behind the webserver. How can I mask these strings ? I have an idea about a table on the F5 which keeps these strings and masks them when send to the client - is this possibly somehow?

 

 

best regards /ti

I can see that there is a esay to go for solution here with a proxy irule https://devcentral.f5.com/wiki/iRules.ProxyPass_for_use_with_APM.ashx - but I am not sure if this will do exactly what I wan't - I need to mask either some specific parts of a URL or completely remove the text from a given URL send to the client - will this work with this irule

 

 

best regards /ti

The "Headers in the SSO Configuration" section is for inserting static headers. I don't know of any applications that use this.

 

 

ProxyPass *may* help, but I think the better option is to NOT use use the username and password in the URL if you can at all help it. Where is this URL set and is it in the payload of the web server's response or just in headers and URIs?

 

Hi again

 

Yes I completely agree with you - BUT - that can be a bit problematic - I know the username and password at the time the traffic passes through and I only need to modify these two variables in the URL if they exist there - is there a sample somewhere around which could show me a howtodo iRule for this? Been reading ProxyPass a bit and the main task there is of course to modify the server-part of the URL and I need to modify some specific part of the URI instead - suggestions ?

 

The webpage is split into 3 frames where there are several action buttons - like search - and if you push f.ex a search button this will launch a http request with a pre-build URL with f.ex items from a search field etc.

 

 

The URL could look like this:

 

https://Server1.comp.com/web/appsrv.dll?Service=StartHTML&Event=GetPostalGroupText&Communities=COM1&InFormat=xx&OutFormat=P_Query_Entry&IncontentType=POST&OutContentType=HTML&Language=Dk&UserID=User1&Password=Abc123&BeginApplicationData=TRUE

 

 

I want to modify UserID and Password on the fly

 

 

best regards /ti

 

hmm - been digging with fiddler and discovered that I of course am facing several problems - when I use the URI parameter in the SSO form and define a Cookie to identify a successfully login I get very sensitive to how the HTTP profile is defined - regarding chunking. If the Request chunking is defined as Preserve and Response chunking as selective the SSO form is working - mostly (need to dig deeper into that because from time to time I get a error with bad username etc)

 

I try to change my logon detection in the SSO form from Cookie to URI - the Cookie is first put after the user has done a selections. The URI which is presented by the webserver after a successfull logon is of this form:

 

fc50b556: SSOv2 Request "POST /script/selectCommunity.asp?f5-sso-form=Validform_test"

 

I tried to define the URI as /script/selectCommunity.asp but this isn't matched - I get a logon failed in the APM log:

 

fc50b556: SSOv2 Logon failed, config /dk_dmz/DK_ADPTEST_sso form Validform_test

 

Can you tell me what I ahve done wrong here?

 

best regards /ti

First question: is the URL with the userid and password in a response header (perhaps a 302 redirect), or in the payload (a link in the page)?

 

 

Second question: in your Form SSO config, what happens immediately after a post with valid user/pass? Are you redirected to another page or issued a cookie? Does this action differ when the user/pass is wrong?

Hi Kevin

 

The username and passwords are URL's embedded in a javascript which is build by the webserver and send to the client - like this:

 

 

function PartShoppingCart()

 

 

..{

 

 

if (document.all.UPLOAD.style.visibility != "visible")

 

 

document.all.UPLOAD.style.visibility = "visible" ;

 

 

else

 

 

document.all.UPLOAD.style.visibility = "hidden" ;

 

 

 

 

document.all.UploadWindowAction.value ="PartShoppingCart";

 

 

document.Validform.target = "UPLOAD" ;

 

 

document.Validform.action = "/web/script/PartShoppingCart/PartShoppingCartStart.asp?css=/web/css/adp.css&CompanyNo=9990&TargetFrame=Service_Frame&UserGroupId=User1" ;

 

 

document.Validform.method = "POST" ;

 

 

document.Validform.submit();

 

 

..}

 

 

 

 

function OrderHistorySearch()

 

 

{

 

 

if (document.all.UPLOAD.style.visibility != "visible")

 

 

document.all.UPLOAD.style.visibility = "visible" ;

 

 

else

 

 

document.all.UPLOAD.style.visibility = "hidden" ;

 

 

 

 

document.all.UploadWindowAction.value ="PartOrderHistory";

 

 

document.Validform.target = "UPLOAD" ;

 

 

document.Validform.action = "/web/script/PartOrderHistory/OrderHistoryStart.asp?css=/web/css/adp.css&CompanyNo=9990&Communities=Com1&UserGroupId=User1&Password=abc123&dateformat=dd/MM/yyyy&TargetFrame=Service_Frame" ;

 

 

document.Validform.method = "POST" ;

 

 

document.Validform.submit();

 

 

}

 

 

Regarding the SSO config - I thought that the next thing I got was a redirect to a new page but in fact it sets a cookie and publish a new page where I can select a group-membership (Community). But - here is it where the chunking gives some problems - it seems to me that the APM SSO function cannot always find the form depending on how the chunking is set in the HTTP profile (and why do I fiddle with this at all - because if the chunking is set so that I can detect the logon form a Java script send later is corrupted - it should build a nice huge table on the screen where the user could fill in items to order)

 

 

any suggestions for my chunking problem - or could it be some missing java-script support ? Is there somewhere we we have some extended java script support?

 

best regards /ti

The easiest thing may be to just disable chunking in an iRule:

when HTTP_REQUEST {
     HTTP::header remove "Accept-Encoding"
     if { [HTTP::version] eq "1.1" } {
          if { [HTTP::header is_keepalive] } {
               HTTP::header replace "Connection" "Keep-Alive"
          }
          HTTP::version "1.0"
     }
}

ok - thanks - cut'd the code and created a new iRule which is fired as the first on my test-vs - I'll try to trace what happens when this iRule is fired.

 

 

best regards /ti