cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

APM HTTP auth

PeterM
Nimbostratus
Nimbostratus

Hi,

I am trying to do form based HTTP authentication. Form method is POST. I did wireshark (when connecting to server directly) and HTML form includes:

username

password

_token

submit

 

Username and password is OK. Submit is sent empty. The problem I have is with parameter _token. This parameter is taken from HTML response when entering the site:   <meta name="csrf-token" content="MrMacUlmD6vlcdZsuVP8csCakwAwXXgqaDqaIO1Q">\n and sent back during the authentication.

 

My question is: how get the token variable to the POST? Using iRules? Or is there easier way of doing it?

 

thank you

4 REPLIES 4

boneyard
MVP
MVP

there are two types of form based SSO (you are doing SSO right?)

 

you might want the client initiated one, there you wouldnt have to worry about the csrf-token issue

 

https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-0-0/25.html

PeterM
Nimbostratus
Nimbostratus

Hi, no, I used Access -> Authentication -> HTTP. But if SSO is better then I use it.

Manideep
Nimbostratus
Nimbostratus

I got the same issue, any solution on this?

Manideep
Nimbostratus
Nimbostratus

I am using form based SSO, and I tried pass csrf_token as hidden parameter, still I am getting 403 forbidden error - CSRF verification failed. Request aborted. 

Hidden parameters - csrf_token submit