Forum Discussion

amallet_4001's avatar
amallet_4001
Icon for Nimbostratus rankNimbostratus
May 18, 2017

SSO HTTP Forms with variably uri

Hello,

I have an application which does not make SSO SAML and I would like to be able to set up SSO HTTP Forms.

However my URI is variable.

POST /idp/4NnB0_xVb0A/resumeSAML20/idp/SSO.ping HTTP/1.1

 

apm sso form-based /Common/LMT_test_auth {
form-action "/resumeSAML20/idp/SSO.ping HTTP/1.1"
form-field " "
form-password password
form-username username
start-uri /resumeSAML20/idp/SSO.ping

 

How are you to do for this?

Thanks for help

apm sso
BIG-IP Access Policy Manager (APM)
security
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    May 21, 2017

    Hi,

    did you try with Form action :

     

    /idp/%{session.custom.variable}/resumeSAML20/idp/SSO.ping HTTP/1.1

     

  • amallet_4001's avatar
    amallet_4001
    Icon for Nimbostratus rankNimbostratus
    May 29, 2017

    Hi,

     

    thank you for the response

     

    However, How to create the custom variable?

     

    Irule or directly on the VPE?

     

    Best regards

     

    • Stanislas_Piro2's avatar
      Stanislas_Piro2
      Icon for Cumulonimbus rankCumulonimbus
      May 29, 2017

      You can assign variable with variable assign. It support tcl code.

      How can you retrieve this variable part of uri?

      Are there multiple static values or is it a non predictable value?

    • amallet_4001's avatar
      amallet_4001
      Icon for Nimbostratus rankNimbostratus
      May 30, 2017

      This variable it's non predictable value.

      I created Irule for extract uri:

       

      when HTTP_REQUEST {
if {[HTTP::uri] contains "/idp/SSO.ping" && [HTTP::uri] contains "_"} {
    set SSO_URI [regsub -nocase {/f5\-w\-[0-9a-f]+\$\$} [HTTP::uri] ""]
    ACCESS::session data set session.lmt.sso.starturi "$SSO_URI"
    }

       

      }

      And connfigured the SSO configuration HTTP Form.

      It's working.

      However, Can we add the URI extraction in the VPE with "Variable Assign" ?

      Thanks

    • Stanislas_Piro2's avatar
      Stanislas_Piro2
      Icon for Cumulonimbus rankCumulonimbus
      May 30, 2017

      Hi,

       

      HTTP_REQUEST is not the good event to use as it is evaluated for any following requests and not only during policy evaluation.

       

      you can do it with (event only evaluated when new session):

       

      when ACCESS_SESSION_STARTED {
    if {[set uri [HTTP::uri]] contains "/idp/SSO.ping" && $uri contains "_"} {
        if {[scan $uri {/f5-w-%[^$]$$%s} garbage SSO_URI] == 2} {
            ACCESS::session data set session.lmt.sso.starturi "$SSO_URI"
        } else { 
            ACCESS::session data set session.lmt.sso.starturi $uri
        }
    }
}

      or variable assign

       

      session.lmt.sso.starturi =

if {[scan [mcget {session.server.landinguri}] {/f5-w-%[^$]$$%s} garbage SSO_URI] == 2} {
    return $SSO_URI
} else { return [mcget {session.server.landinguri}]}

      If you want to evaluate this code for every requests, you must use ACCESS_ACL_ALLOWED event (same as HTTP_REQUEST but after APM and rewrite profile). in this event there is no need to parse HTTP::uri.