on 27-Apr-2023 05:00
Having the power of F5 Access Policy Manager (APM) as an Identity Aware Proxy and F5 SSLO allows to have a flexible organization-wide secure access layer.
Using F5 APM to authenticate access to SSLO was discussed in a previous article by @Kevin_Stewart SSL Orchestrator Advanced Use Cases: Inbound Authentication , In this article we are going to assume company ABC need to have different SSLO topologies for different organzation functions,
In our lab we are using the below features,
Note, In case you are using F5 SSLO older than v17.1 and want to integrate F5 AWAF, you may need to check this WAFaaS with SSLO by @KevinGallaugher
Note, In case you are using the same box for F5 APM and F5 SSLO, you may need to use a VIP targetting iRule similar to the below one using the required ACCESS::session variables based on the condition you need to apply.
when ACCESS_ACL_ALLOWED {
set user [ACCESS::session data get "session.logon.last.username"]
if { $user contains "user2"} {
virtual "/Common/vs_myapp_top1"
}else {
virtual "/Common/vs_myapp_top2"
}
}
In our lab we are using F5 Advanced Web Application Firewall (AWAF) service in the service chain, other SSLO configurations options can be found here https://clouddocs.f5.com/sslo-deployment-guide/
In the lab we are using F5 SSLO Existing Application topology. other topologies can be used as well, just make sure F5 SSLO forwards traffic to application pool.