For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

APM Sharepoint authentication

Problem this snippet solves: Updated version to support Webdav with windows explorer after Nicolas's comment. APM is a great authentication service but it does it only with forms. The default be...
Published Apr 20, 2016
Version 1.0
BIG-IP Access Policy Manager (APM)
editing office documents
iRules
ms-ofba
programmability contest
security
sharepoint
Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
Sep 14, 2016

the use of 

[ACCESS::user getsid $user_key]
is not a big issue.

in ACCESS_SESSION_STARTED, the session uuid is changed from default tmm.policyname.logonname to username."md5 of user password"

if { [ info exists user_key ] } {
  ACCESS::session data set "session.user.uuid" $user_key
}

so, when a new request comes with same username and password and without session cookie, APM will not create a new session if a previous one exists with the same username / password.

This is first created for active sync to prevent multiple access session for one user.

in the active sync, there is a option to insert in the hash the client ip address to prevent a user with multiple devices to share the same access session (this is the default behavior for active sync). this can be added in the irule.