Forum Discussion
NimbostratusWebtop asks again for authenticacion
Hi. I have done two setups recently with APM:
- One is a reverse proxy with APM protecting destination web servers with authentication, where servers can be accesed directly with its own url or through a webtop, but all on must be on the same VIP (every url points to this VS)
- The other setup, in another customer, is a SAML IdP service supporting SP/IdP initiated connections with a webtop publishing resources
In both cases I've found the same problem.
- If the webtop is requested on the first browser tab, user authenticates, and following requests to urls on other browser tabs work as expected, with session cookie acting, no re-authentication required
- If user requests a url (or a saml sp-initiated connection that redirects to idp in second sample case) APM authenticates the user. Then, if the user requests webtop in second tab, APM asks for authentication again. If we look on browser, a new session cookie is presented different from the existing one
I think I read somewhere this was by webtop design due to security concerns or something like that. Anyone knows about it ?
Taking an idea from other post, what I've done is the following iRule, that works, but I'm not sure is the best option, that's the reason why of this post:
when HTTP_REQUEST {
if { [HTTP::cookie exists "LastMRH_Session"] } {
log local0. "URI: [HTTP::uri]"
if { [HTTP::uri] equals "/" } {
ACCESS::disable
HTTP::redirect "[https://host.domain.com/vdesk/webtop.eui?webtop=/Common/domain&webtop_type=webtop_full"]
}
if { [HTTP::uri] equals "" } {
log local0. "Access DISABLE"
HTTP::redirect "[https://host.domain.com/vdesk/webtop.eui?webtop=/Common/domain&webtop_type=webtop_full"]
}
}
}
2 Replies
Stanislas_Piro2Cumulonimbus
Hi,
URI "" does not exist, no need to search for it.
the following irule may do the job (not tested) to check if the session is allowed, then get the webtop name from the access session variable, and redirect to the expected URI.
in the redirect, do not use absolute URL but only URI. absolute URL in redirect and response page is the nightmare of reverse proxy administrators because it require rewriting if internal and external protocol and hostname are different.
when HTTP_REQUEST { if { ( [set MRHSession_cookie [HTTP::cookie value "MRHSession"]] ne "" ) and ( [ACCESS::session exists -state_allow $MRHSession_cookie] ) } then { log local0. "URI: [HTTP::uri]" if { [HTTP::uri] equals "/" && ([set webtop [ACCESS::session data get -sid $MRHSession_cookie "session.assigned.webtop"]] ne "")} { HTTP::redirect "/vdesk/webtop.eui?webtop=${webtop}&webtop_type=webtop_full"; } } }- Stanislas_Piro2
I think you can use multi-domain SSO instead of your configuration.
multi domain SSO is used to provide authentication on only one URL:
webtop.domain.com
when a user access to app1.domain.com,
- he is redirected to https://webtop.domain.com
- after authentication, he is redirected to app1.domain.com
you can define hundreds of URLs authenticating on the same URL.
if the user access to https://webtop.domain.com, you can assign a webtop with webtop links.
My irule must be modified for to be compatible with Multi-domain SSO:
when HTTP_REQUEST { if { ( [set MRHSession_cookie [HTTP::cookie value "MRHSession"]] ne "" ) and ( [ACCESS::session exists -state_allow $MRHSession_cookie] ) } then { log local0. "URI: [HTTP::uri]" if { [HTTP::uri] equals "/" && ([set webtop [ACCESS::session data get -sid $MRHSession_cookie "session.assigned.webtop"]] ne "")} { if {[PROFILE::access domain_mode] && [URI::host [PROFILE::access primary_auth_service]] equals [HTTP::host]} { HTTP::redirect "/vdesk/webtop.eui?webtop=${webtop}&webtop_type=webtop_full"; } } } }EDIT : I corrected the irule according to Sergi's comment about the missing
]
