Apache mod_auth_tkt Single Sign On

Problem this snippet solves:

This iRule is designed to parse and verify the digest from a auth_tkt cookie. This is a proof-of-concept that can be leveraged to offload authentication and/or verification from the apache servers when used in conjunction with the LTM authentication module. Using "AUTH::response_data", you can include additional tokens from the authentication server in the cookie that can help LTM to make more intelligent load-balancing decisions based on the users. As these cookies are unique per user, you can use them as a source of persistence information as well. If performance is a must, you can use the session table to cache verified cookies and store necessary information about the authenticated user and look them up by hash. This session entry could be used to maintain a precision based inactivity timeout as well.

Code :

rule mod_auth_tkt {
   when RULE_INIT {
      set cookie_name "auth_tkt_sso"
      set secret "auth_tkt_shared_secret"
      set tokens "AUTH_TKT_TOKEN1,AUTH_TKT_TOKEN2"
      set data   ""
   when HTTP_REQUEST {
      if { ! [HTTP::cookie exists $::cookie_name] } {
      set cookie [HTTP::cookie $::cookie_name]
      set ticket [b64decode $cookie]
      scan $ticket {%32s%8s%[^!]!} master_digest time_stamp user_id
      set rawip "\000\000\000\000"
      set rawts [binary format H* $time_stamp]
      binary scan $rawts H* rets
      set rawstring $rawip$rawts$::secret$user_id\000$::tokens\000$::data
      binary scan [md5 $rawstring] H* digest0
      binary scan [md5 $digest0$::secret] H* digest
      if { $digest ne $master_digest } {
Published Jan 30, 2015
Version 1.0

Was this article helpful?