Forum Discussion

Dennis_Andrade_'s avatar
Dennis_Andrade_
Icon for Nimbostratus rankNimbostratus
Oct 04, 2013

Use a cookie to automatically authenticate with other applications

This is the scenario I have:

 

Users access a virtual server and go through the authentication branches in the access policy as usual. The user can see the backend application just fine. The challenge is: the user will enter a different URl for a different virtual server (backend application). We want to have the SSO functionality in between the applications. So if the user already went through authentication, when he changes the URL for the new application he should not be prompted to authenticate again. However we should still do an LDAP query and check if the user is part of a group to have access to the application they are trying to access. I'm thinking that after the user authenticates the first time, it creates a user cookie and then when the user changes the URL to the other application, it checks if the cookie exists, if it does then we do anm ldap query to check if the user is a member of an AD group that has access to the application. If not we deny access but the user won't have to authenticate again.

 

Any ideas?

 

Thanks,

 

Dennis

 

application delivery
BIG-IP Access Policy Manager (APM)
design
devops
iRules
security

2 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 04, 2013

    The tricky part I think is the cookie itself. An APM policy will normally generate a session cookie that is host-based, that is, it's relevant to a specific host name. If the browser is directed to another host name, it won't send that cookie. You can optionally set a domain attribute in the cookie, so that the browser will send the cookie to any URL in that DNS domain. If you use a domain cookie with multiple APM profiles, the first APM session will run through the policy evaluation just fine. But when you go to the second APM profile, the presence of the (valid) cookie will indicate that authentication is complete and pass over the access policy evaluation. You could do server side SSO in subsequent APM policies, but not full client side evaluation (ie. LDAP lookups, etc.).

     

    While there are certainly ways to get around this with iRules, but probably the easiest thing to do would be to configure SAML authentication (if you're running 11.3 or higher). The user makes an initial request to a VIP with an APM profile configured for "BIG-IP as SP". The user is immediately redirected to another VIP, the IdP, for authentication, and then redirected back with a SAML assertion. The SP VIP processes the assertion and continues through the policy evaluation. When navigating to a second URL, that APM SP again redirects the user to the IdP, but because the user already has an authenticated session with the IdP, their immediately redirected back with an assertion without re-authenticating. The second VIP processes the assertion and then continues through the policy evaluation.

     

  • Dennis_Andrade_'s avatar
    Dennis_Andrade_
    Icon for Nimbostratus rankNimbostratus
    Oct 17, 2013

    I tested it with SAML and it seems to be working when the user accesses the second link manually but not when the URL is called inside the other application. But I will create a new question with this new problem. Thank you for the help

     

Recent Discussions