Subsequent Form Based SSO

Problem this snippet solves:

After performing a successful APM Form Based SSO it can happen that the backend website will expire the user session while the APM session is still active. When this happens, the user will see the logon page of the backend website and needs to login again. This code snippet will try to detect that the user is being redirected to the backend website login page and will perform a Form Based SSO again by using the credentials from the active APM session.

How to use this snippet:

When using this code snippet, make sure you set the below shown variables to match your environment.

set static::start_uri
set static::form_action

You should also use the Variable Assign agent in the VPE to set the APM session variable

session.custom.form_based.password

with the users password. This password will be used to perform the subsequent Form Based SSO. Use the following custom expression:

return [mcget -secure {session.logon.last.password}]

.

Code :

when RULE_INIT {
    set static::start_uri "login.html"
    set static::form_action "/F5/form_based_login/login.php"
    
    set static::form_html { 
  
    
    

      
      
      
    
  
 }
    set static::form_html [string map "form_action $static::form_action" $static::form_html]
}

when HTTP_REQUEST {
    if { [HTTP::cookie exists MRHSession] and [ACCESS::session exists -state_allow -sid [HTTP::cookie MRHSession]] } {
        set active_session 1
    
        if { [HTTP::method] equals "POST" && [HTTP::uri] equals $static::form_action } {
            set collect_length 2048
            if { [HTTP::header Content-Length] eq "" } {
                set collect_length $collect_length
            } elseif { [HTTP::header Content-Length] == 0 } {
                unset collect_length
            } elseif { [HTTP::header Content-Length] > $collect_length } {
                set collect_length $collect_length
            } else {
                set collect_length [HTTP::header Content-Length]
            }

            if { [info exists collect_length] } {
                HTTP::collect $collect_length
            }
        }
    }
}

when HTTP_REQUEST_DATA {
    # the session.custom.form_based.password variable needs to be set via a variable assign agent in the VPE.
    set username [ACCESS::session data get session.logon.last.username]
    set password [ACCESS::session data get session.custom.form_based.password]
    HTTP::payload replace 0 [HTTP::payload length] "username=$username&password=$password"
}

when HTTP_RESPONSE {

    if { [info exists active_session] } {
        if { [HTTP::header "Location"] equals $static::start_uri } {
            if { [ACCESS::session data get session.custom.first_redirect] == 1 } {
                # this is the subsequent redirect which is not covered by APM Form Based SSO
                HTTP::respond 200 content $static::form_html
            }
            else {
                # this is the initial redirect which is covered by APM Form Based SSO
                ACCESS::session data set session.custom.first_redirect 1
            }
        }
        unset active_session
    }
}

Tested this on version:

13.0