APM Sharepoint authentication

Problem this snippet solves: Updated version to support Webdav with windows explorer after Nicolas's comment. APM is a great authentication service but it does it only with forms. The default be...
Published Apr 20, 2016
Version 1.0
BIG-IP Access Policy Manager (APM)
editing office documents
iRules
ms-ofba
programmability contest
security
sharepoint
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Sep 16, 2016

Hi Stanislas,

I have some feedback for you...

Line 11-13: Make this option a static::variable. 
Line 15: Unify the syntax within your script to either [HTTP::header MyHeader] or [HTTP::header value MyHeader].
Line 17: Leftover log line?
Line 18: The HTTP::header exists makes much sense. I've updated my own script to include this.
Line 19: I don't see a reason to use two independent variables for forms and client_less. Using a multivalue would make things easier. You may use 0 for browser, 1 for MSOFBA and 2 for Clientless. In this case you could apply certain script blocks for ==1 ==2 or even >0
Line 20,21: Make sure that each switch script block sets both variables. In this case you don't need set them to 0 at the beginning. It will safe some cycles.
Line 51: Remove this line. HTTP::header insert should not throw an error and line 52 will nevertheless insert the cookie for you.
Line 53: Keep in mind that you should reset this variable once a cookie has been issued. Currently it will issues a cookie on consecutive requests. Alternatively set this variable on each request depending on the enumerated client type.
Line 68: Remove the == 0 and flip the order of the [if]. It may save your some additional cycles....
Line 111: I would make sure that only browser are allowed to issue persistent cookie. I guess there is no reason to inject persistent cookie for non-browser clients.
Line 112: A SharePoint wouldn't use a cookie name of MRHSession_SP, so you don't need to remove it.
Line 113-114: Combine this two commands using a HTTP::header insert it will safe some cycles. Also try to issue a HttpOnly header. It will work with Office clients.
Line 135-137: There is no need to random-delay the 401 within ACCESS_POLICY_COMPLETED. Its already auto-random-delayed. The delay would be required only for 401 responses within the HTTP_REQUEST event.
Line 118: There is no need for the [info exists]. The variable is set during CLIENT_ACCEPTED and the not removed.

Deleting VPE session: Sounds interesting. How will you enumerate the sssions with an identical username?

Cheers, Kai