Modifying Secure Access Manager v8 session variables with a cookie

Problem this snippet solves:

In this example, an external server is used to authenticate users before passing those authentication credentials over to the Secure Access Manager (SAM v8) using a cookie. The SAM then grabs the username and password from the cookie, sends them to an AD server, and logs in the user directly without presenting the login page. If there is no cookie, the SAM just presents a logon page.

Let's assume that after the user authenticates to the third-party web server, that they are then redirected to the SAM box. So the user initially connects to [https://sso.example.com], and that server in turn redirects them and sets a session cookie. The redirect would look something like this:

when HTTP_REQUEST {

    HTTP::respond 302 Location "[https://sam.example.com/"] Set-Cookie "MySAMCookie=1\; domain=.example.com" Set-Cookie "MySAMUser=user1\; domain=.example.com" Set-Cookie "MySAMpw=verysecurepassword\; domain=.example.com"

}

The client browser will then connect to the SAM box at https://sam.example.com. Because the cookie contained the domain ".example.com", the browser should present this session cookie when it connects to the SAM box.

The iRule code below will be used to set the session variables "session.logon.last.username" and "session.logon.last.password". The following code can then be used in the VPE to determine if those fields are populated:

expr {[mcget {session.logon.last.username}] ne  and [mcget {session.logon.last.password}] ne }

If those are populated, the VPE can then pass the credentials directly to the AD server for authentication. The user will automatically be connected to the SSL VPN with no further interaction if the authentication was successful.

Please see the attached diagrams showing the VPE configuration used in conjunction with the below iRule.

This is a simple example of manipulating session variables with an iRule, but it should serve to demonstrate the flexibility and power that iRules can offer when used in conjunction with Secure Access Manager (SAM) or Access Policy Manager (APM).

Code :

when HTTP_REQUEST {
   #Check to see if a cookie exists, otherwise no need to do anything.
   #You should probably also check to see if the session variables are already set before doing anything
   #as well, but this code is just for demonstration purposes.
   if { [HTTP::cookie exists MySAMCookie] } {
      
         #Log the session state - this is just for demonstration purposes
         #SAM allows you to gather the values of session variables with the SESSION::data command
         log local0. "Session ID is $tmm_fp_session_id and the status is [SESSION::data get $tmm_fp_session_id \"session.state\"]"

         #Use the SESSION command to set the userID and password
         #session variables to what was in the cookie.  The userID and password are just cookie values

         SESSION::data set $tmm_fp_session_id session.logon.last.username [HTTP::cookie MySAMUser]
         SESSION::data set $tmm_fp_session_id session.logon.last.password [HTTP::cookie MySAMpw]
      
   }
}
Published Mar 18, 2015
Version 1.0
No CommentsBe the first to comment