Apache mod_auth_tkt Single Sign On
Problem this snippet solves:
This iRule is designed to parse and verify the digest from a auth_tkt cookie. This is a proof-of-concept that can be leveraged to offload authentication and/or verification from the apache servers when used in conjunction with the LTM authentication module. Using "AUTH::response_data", you can include additional tokens from the authentication server in the cookie that can help LTM to make more intelligent load-balancing decisions based on the users. As these cookies are unique per user, you can use them as a source of persistence information as well. If performance is a must, you can use the session table to cache verified cookies and store necessary information about the authenticated user and look them up by hash. This session entry could be used to maintain a precision based inactivity timeout as well.Code :
rule mod_auth_tkt { when RULE_INIT { set cookie_name "auth_tkt_sso" set secret "auth_tkt_shared_secret" set tokens "AUTH_TKT_TOKEN1,AUTH_TKT_TOKEN2" set data "" } when HTTP_REQUEST { if { ! [HTTP::cookie exists $::cookie_name] } { return } set cookie [HTTP::cookie $::cookie_name] set ticket [b64decode $cookie] scan $ticket {%32s%8s%[^!]!} master_digest time_stamp user_id set rawip "\000\000\000\000" set rawts [binary format H* $time_stamp] binary scan $rawts H* rets set rawstring $rawip$rawts$::secret$user_id\000$::tokens\000$::data binary scan [md5 $rawstring] H* digest0 binary scan [md5 $digest0$::secret] H* digest if { $digest ne $master_digest } { reject } } }
Published Jan 30, 2015
Version 1.0CodeCentral_194
Cirrus
Joined May 05, 2019
CodeCentral_194
Cirrus
Joined May 05, 2019
- JRahmAdminContributed by Jeff Hafey