For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

amallet_4001's avatar
amallet_4001
Icon for Nimbostratus rankNimbostratus
May 18, 2017

SSO HTTP Forms with variably uri

Hello, I have an application which does not make SSO SAML and I would like to be able to set up SSO HTTP Forms. However my URI is variable. POST /idp/4NnB0_xVb0A/resumeSAML20/idp/SSO.ping HTTP/...
apm sso
BIG-IP Access Policy Manager (APM)
security
amallet_4001's avatar
amallet_4001
Icon for Nimbostratus rankNimbostratus
May 29, 2017

Hi,

 

thank you for the response

 

However, How to create the custom variable?

 

Irule or directly on the VPE?

 

Best regards

 

Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
May 30, 2017

Hi,

 

HTTP_REQUEST is not the good event to use as it is evaluated for any following requests and not only during policy evaluation.

 

you can do it with (event only evaluated when new session):

 

when ACCESS_SESSION_STARTED {
    if {[set uri [HTTP::uri]] contains "/idp/SSO.ping" && $uri contains "_"} {
        if {[scan $uri {/f5-w-%[^$]$$%s} garbage SSO_URI] == 2} {
            ACCESS::session data set session.lmt.sso.starturi "$SSO_URI"
        } else { 
            ACCESS::session data set session.lmt.sso.starturi $uri
        }
    }
}

or variable assign

 

session.lmt.sso.starturi =

if {[scan [mcget {session.server.landinguri}] {/f5-w-%[^$]$$%s} garbage SSO_URI] == 2} {
    return $SSO_URI
} else { return [mcget {session.server.landinguri}]}

If you want to evaluate this code for every requests, you must use ACCESS_ACL_ALLOWED event (same as HTTP_REQUEST but after APM and rewrite profile). in this event there is no need to parse HTTP::uri.