Forum Discussion

PeterM's avatar
PeterM
Icon for Nimbostratus rankNimbostratus
Apr 22, 2020

APM HTTP auth

Hi,

I am trying to do form based HTTP authentication. Form method is POST. I did wireshark (when connecting to server directly) and HTML form includes:

username

password

_token

submit

 

Username and password is OK. Submit is sent empty. The problem I have is with parameter _token. This parameter is taken from HTML response when entering the site:   <meta name="csrf-token" content="MrMacUlmD6vlcdZsuVP8csCakwAwXXgqaDqaIO1Q">\n and sent back during the authentication.

 

My question is: how get the token variable to the POST? Using iRules? Or is there easier way of doing it?

 

thank you

4 Replies

  • there are two types of form based SSO (you are doing SSO right?)

     

    you might want the client initiated one, there you wouldnt have to worry about the csrf-token issue

     

    https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-0-0/25.html

  • PeterM's avatar
    PeterM
    Icon for Nimbostratus rankNimbostratus

    Hi, no, I used Access -> Authentication -> HTTP. But if SSO is better then I use it.

  • I am using form based SSO, and I tried pass csrf_token as hidden parameter, still I am getting 403 forbidden error - CSRF verification failed. Request aborted. 

    Hidden parameters - csrf_token submit