Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Example passing information to a application from APM

Go to solution
Ravager
Altostratus
Altostratus

‎08-Jul-2021 14:05

I guess this is more of a request for a how would I question then anything and hopefully example articles or blogs exist already.

 

What I would like to understand is after authenticating someone via APM how do I pass like the user information to the application, basically very very simple sso.

 

So maybe a some simple helloworld webcode that goes hello 'username' and maybe as a second step ignoring https what would be the correct way to encrypt that info maybe as a cookie?

 

And a little more advanced how you would do this with a simple app with username + password boxes so the APM would prefill the login with the info it already has ie sso.

 

 

Thanks in advance

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Niels_van_Sluis
MVP
MVP

‎10-Jul-2021 08:41 - last edited on ‎05-Jun-2023 23:02 by Fog

Hi Ravager,

Your question inspired me to do some testing with passing APM session variables into sessionStorage. First I created an iRule to add the APM session variable into the sessionStorage of the webbrowser. And a simple webpage to query the browsers sessionStorage.

iRule:

when ACCESS_POLICY_COMPLETED {
    set username [ACCESS::session data get session.logon.last.username]
    
    set html "<!DOCTYPE html>"
    append html "<body onload=\"location.reload()\"></body><script lang=\"javascript\">"
    append html "if (typeof(Storage) !== \"undefined\") \{"
    append html "sessionStorage.setItem(\"username\", \"$username\");"
    append html "\}</script></html>"
    
    ACCESS::respond 200 content $html
}

HTML to put on the webserver:

<!DOCTYPE html>
<html>
<body>
<div id="result"></div>
<script>
if (typeof(Storage) !== "undefined") {
  document.getElementById("result").innerHTML = "Username: " + sessionStorage.getItem("username");
} else {
  document.getElementById("result").innerHTML = "Sorry, your browser does not support Web Storage...";
}
</script>
</body>
</html>

Here you can see the username is put into the browsers sessionStorage.

0691T00000CqKdeQAF.pngLike always with the F5 BIG-IP, there is more than one way to do it. For example, you could also use HTTP Headers to pass information from APM to the web application. See:

K74392192: How to insert APM Variables in backend headers to the application server

https://support.f5.com/csp/article/K74392192

View solution in original post

3 REPLIES 3

Go to solution
Daniel_Wolf
Nacreous
Nacreous

‎10-Jul-2021 08:16

Hi Ravager,

 

you could start with something easy, setup an NGINX web server with basic auth. See this tutorial:

https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/

This is gonna be your pool member. Test basic auth by accessing the webserver directly, without the BIG-IP.

 

Next you will setup an APM Access Policy of the type LTM-APM with SSO Credential Mapping and create an HTTP Basic SSO configuration.

With the HTTP Basic method of authentication, the SSO plug-in uses the cached user identity and sends the request with the authorization header. This header contains the Basic token and the base64-encoding of the user name, colon, and the password. Example from tcpdump:

0691T00000CqKdPQAV.pngSee this Manual Chapter: Creating an HTTP Basic SSO configuration.

 

Another simple form of SSO would be an HTTP forms-based SSO. With this method the BIG-IP will send the username and password as a HTTP form-based POST request to the application. Here is an example, you have to specify the parameter names for username, password and Start URI.

0691T00000CqKdZQAV.pngSee this Manual Chapter: Creating an HTTP forms-based SSO configuration

You can find some HTML snippets for a form-based auth website here: https://www.w3schools.com/howto/howto_css_login_form.asp 

 

Is this useful for you?

 

KR

Daniel

 

 

Go to solution
Niels_van_Sluis
MVP
MVP

‎10-Jul-2021 08:41 - last edited on ‎05-Jun-2023 23:02 by Fog

Hi Ravager,

Your question inspired me to do some testing with passing APM session variables into sessionStorage. First I created an iRule to add the APM session variable into the sessionStorage of the webbrowser. And a simple webpage to query the browsers sessionStorage.

iRule:

when ACCESS_POLICY_COMPLETED {
    set username [ACCESS::session data get session.logon.last.username]
    
    set html "<!DOCTYPE html>"
    append html "<body onload=\"location.reload()\"></body><script lang=\"javascript\">"
    append html "if (typeof(Storage) !== \"undefined\") \{"
    append html "sessionStorage.setItem(\"username\", \"$username\");"
    append html "\}</script></html>"
    
    ACCESS::respond 200 content $html
}

HTML to put on the webserver:

<!DOCTYPE html>
<html>
<body>
<div id="result"></div>
<script>
if (typeof(Storage) !== "undefined") {
  document.getElementById("result").innerHTML = "Username: " + sessionStorage.getItem("username");
} else {
  document.getElementById("result").innerHTML = "Sorry, your browser does not support Web Storage...";
}
</script>
</body>
</html>

Here you can see the username is put into the browsers sessionStorage.

0691T00000CqKdeQAF.pngLike always with the F5 BIG-IP, there is more than one way to do it. For example, you could also use HTTP Headers to pass information from APM to the web application. See:

K74392192: How to insert APM Variables in backend headers to the application server

https://support.f5.com/csp/article/K74392192

Go to solution
Ravager
Altostratus
Altostratus

‎10-Jul-2021 14:59

You guys are legends, very keen to play around with your suggestions next week at work. This topic might even be a good one to write a full article with the various ways to do this

0 Kudos
Copyright © 2023 Khoros, LLC