Hi out there I need an idea how I can awoid my users in cheating me. I have a SSO setup where I through a client initiated webform do a SSO login to a webserver. After this the APM job is finished and I expected that my users now always had to go through the APM module to login to the webserver. But - if I open a new windows in the browser and know the URL I can avoid the APM module because I already have a running session and get a login from the backend system. Can somebody give my some ideas how to always force the users to go through a login of the APM modul ? I don't want my users to be able to go directly to the webserver and login as another user... Suggestions?

Hi all, I have the same issue with APM and SharePoint Server. When an external user connects to my F5 portal using a non-computer domain, he/she must tape the login and password twice (the second attempt with the domain), if he/she use a computer domain it work. IIS server on the SharePoint server use Windows authentication. Is there a way to force/configure BigIPAPM to send user credential to SharePoint server(IIS)? Thank you in advance for your help.

These may be two different things. Are we talking about users being able to go around the LTM/APM and communicate with the servers directly, or users opening another window in the same browser session and bypassing the initial APM logon?

Hi Kevein, In my case, the end user (external user with any computer) should have access SharePoint through APM using the same browser window. Regards

Yes, but are users now able to go around LTM/APM directly to the servers?

If you mean connect directly (without APM) to the server from internal network yes

SSO for webserver | DevCentral

33 Replies

tiwang
Nimbostratus
Jun 27, 2013
ok - thanks - cut'd the code and created a new iRule which is fired as the first on my test-vs - I'll try to trace what happens when this iRule is fired.

best regards /ti
tiwang
Nimbostratus
Jul 01, 2013
Hi Again

Looks as if the script Works - added a bit debug around it and it is triggered etc - looks fine - thanks

But - I am still fighting with the problem about get a persistent APM session up - I debugged with tcpdump on the F5 and it looks to me that the Cookie is modified in the F5? I have defined a wrong cookie in the SSO Form so when I changed it to the value I could trace in tcpdump my SSO seems to work (more investigation needed)

But - after this I am back with my other problem - corrupted Java script when succeding in getting the APM session persistent - which again must be somthing with the chunking.

Even though the iRule modfies the request I can change the behavior of the flow with the chunking settings in the HTTP profile

When I define "Request Chunking"="Preserve" or "Selective" and "Response Chunking"="Selective" the APM module succed in detecting the logon but then I then come to the next form on the webpage this will be corrupted when loaded.

If set to "Preserve" in both directions the APM module fails in detecting the logon

so - hmm - can I control the Chunking with that iRule ? As far as I have understod the chunking is just a sort of sending a webpage as one page but in fragments - is that correcft understood?

best regards /ti
Kevin_Stewart
Employee
Jul 01, 2013
Yes, chunking is a way of breaking messages up into smaller pieces. It's generally used to facilitate streaming data where you may not know in advance what the total payload size will be or if you want page content to start rendering before all of the data is sent (or generated). The above iRule tells the server that the client cannot handle chunking, by essentially disabling HTTP 1.1. It also tells the server not to compress the response. If you suspect that chunking is still happening, observe the response data in the capture. By the way, you may have a better time by at least analyzing the TCPDUMP data in Wireshark, if not capturing it there. Chunking will be evident by the "Transfer-Encoding: chunked" header. You may also notice whether or not the payload looks compressed (unreadable).

As for the Form SSO settings, you need to find at least one event that is unique to a successful logon. You're best bet again is to capture that process (I recommend Fiddler of IEWatch in the browser, but also Wireshark) to see what happens directly before and directly after a successful logon. You can attach that capture here if you'd like us to take a look.

Forum Discussion

SSO for webserver

33 Replies

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

After upgrading from PeopleTools 8.59.11 to 8.61.11 F5 APM is not rewriting the internal URLs

F5 BIG IP laboratory license

F5 mssql health monitor failing

How can I get started with iCall

Connection Rest f5

Related Content

Simplifying OIDC and SSO with the New NGINX Plus R34 OIDC Module

Enhanced Modern Applications and MicroServices SSO with NGINX

LTM Monitoring IIS and Webserver Binding

Proxy pacfile hosting without need for Webservers using iFiles on v11

Go in Plain English: Creating your First WebServer

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS