Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

F5 newbie - trying to work things out - help :)





my current poc ( first stages – main bit)


Web site


With these url test

• /testsso/unprotected - No protection - just to check the SSO - there is no need for a SSO token and no security requirements needed

• /testsso/validsso - must be signed into the SSO - so no specific group membership just have a valid token

• /testsso/validgroup - must be signed in and be in the right group. Test with nested groups. user → groupA and groupA is member of GroupZ, allow groupZ access.

• /testsso/validip - must be member of group testIP and must also only be allowed from specific ip

• /testsso/mfasms - must be member of groupSMS and must pass the sms MFA

• /testsso/mfatotp - must be member of groupSMS and must pass the totp MFA (google auth)

• /testsso/mfacertificate - must be member of groupSMS and must pass the cert mfa - can we force the user to have a valid debts client cert 

• /testsso/status - dump current status about sso and session token

• /testsso/logout - be able to log out of the sso - all token must be made invalid


So my test steps are open browser and go to 


This is without any security  this opens a menu page with the above url’s as links - no security - have a valid SSO / Auth token … My presumption is that the F5 will redirect to the login page and make the user login - be a member of a valid group … my presumption is that I have a SSO token from above and this will just test membership.


And the rest of the uri above in order with the specific tests

So I understand I need a different VS for each of the above

So i have a main vs with no resource pool

I use a policy to forward requests based on uri to specific VS 

These VS have access profiles associated to them and I have attached them to a specific SSO multi-domain (look at the techdocs link below)

also have a vs which is the default which has no access profile 





Looking at this , this seems to be the article to tie the above together.

From my reading with an SSO component and because each of the above are separate VS and separate ASM, I would have to log into each separately.


This section “Configuring an access policy for SSO multi-domain support” talks about solving that


The problem with this doc is its for version 11.I found a v15 version - basically the same 


Part of this I am going to set a new url I am going to use this as my login / logout hostname for the SSO.

I believe I need set this up as a new VP and attach my SSO there 


So my testing would be  this opens a menu page with the above url’s as links - no security - have a valid SSO / Auth token … F5 will send me to to login and once complete sends them back to - be a member of a valid group … my presumption is that I have a SSO token from above and this will just test membership.


I might need some help with setting up the access profile for the bottom two if I have an action that says login page will it know to go to



How will this translate for our debts platform , or any resources protected by F5 in XYZ



User goes to

clicks to

F5 send user to where the user logins if they don’t have a valid sso

F5 send the user back to



So now my problem in testing 


1)  this opens a menu page with the above url’s as links  

2) - no security 

3) - have a valid SSO / Auth token … My presumption is that the F5 will redirect to the login page and make the user login 

4)  this works login all good

5) https://demo.XYZ/F5Networks-SSO-Resp?SSO_ORIG_URI=XXXXXXXXX comes back 404



I believe, I think that is because /F5Networks-SSO-Resp is being routed to the default vs that has no access profile so the F5 doesn't know what do to.



So how do I fix that 

Bigger question ... am i do this the right way ? Is there a better way to do it.










You need F5 APM for SSO not ASM. You can check the link below and see the option for a global profile under Profile Scope and also the option "SSO / Auth Domains: Primary Authentication URI". The ASM will just block you if you haven't passed the login page first if you have corecty configured this ( ). The ASM and APM can work well together to accomplish the things you want:

Thanks, i think I have done that . Sorry I am new to the F5 and the terminology


so i created these VS

  • .. .this is the url for the shared SSO - multidomain
  • so http -> https
  • . this is really an empty config - no resources - but I currently have 2 addons (1-irule set and 2 policy rule) I am doing both for testing not sure which is the preferred (best practice), I can see that the irule is very flexible
  • http->https
  • ... this is the default VS from the empty one above - for irule I use a switch to decide which vs to use based upon uri and I have a policy which does the same - both have a catch all at the bottom that sends it to this vs
  • ... this is the vs that handles /testsso/validsso, basically it wants a valid sso token. this is where I am stuck


so on & i have SSO attached - same one setup as multidomain.

I have a per session access rule in place for both of them. although different.

for auth it setup login page and does a ad login and save the variables to the sso tokens.

for it has its own pre session access profile - which basically just does the sso token task, this sends it to the login url -, that works, once logged in it uses the F5Networks-SSO-Resp mechanism to go from auth to demo.


So this is me guessing, but demo vs the shell one takes that and sends it to the demo_default vs, which doesn't have a access profile associated with it, so it fails !

I don't want a access profile attached to the default as I want people to come there with out a sso token..


so what I have done in the irule and also the ltm policy is redirect demo/F5Networks-SSO-Resp to auth/F5Networks-SSO-Resp and that works.

I would write a irule to do it myself with out the redirect but I don't know how and I wouldn't know how to do it in the ltm policy - I am guessing a TCL command ?



I have a quick look at the documents - but I believe I have done what they are suggesting - or I am missing something - think we getting around the terminology.


I was thinking maybe just add an access policy to the demo_default vs


also I believe I have set both the auth access policy to global and the demo_case2 to global ?


thanks for the input

still lost, not 100% of the next steps, to do it the F5 way






Creating a BIG-IP ASM security policy and applying it to the layered virtual server

Impact of procedure: Performing the following procedure should not have a negative impact on the system.

To create the server, perform the appropriate procedures outlined in the following F5 manuals:

  • For BIG-IP ASM 13.x and 14.x, refer to the Creating a Simple Security Policy chapter of the BIG-IP Application Security Manager: Getting Started manual.


I tried to follow this, but I can't do that under my security main menu I only have cloud services !


in fact most of the steps below that I can't do

from this article

Am i missing something - I am on 15.1




I found on the licensing page, that the ASM module didn't look like it was enabled, so I have enabled it ... maybe thats what I have been missing !




turning on ASM module - after reboot - I had lost all of my work 😞 time for a break... sigh





so rebuilt it.

vs_base -> this has the ASM attached to it

prolicy route for validsso to a new vs

The sso works, but its still not processing the F5Networks-SSO-Rep uri 😞


You seem to be good with APM, I wouldn't call you junior with it.



For Local traffic policy redirect just see the example and you can replace the iRule. It is with TCL command as you mentioned. If you redirecting to a static domain and there will be no variables used for the redirect like [HTTP::uri] or [HTTP::host] then just enter the static URL without using "tcl:" as "tcl:" is when you need to have access to tcl variables and for static URL this is not needed.



If you set two access profiles to global then if the user has authenticated to one, he will have access to the other as mentioned in .



For the ASM VIP it could be that the ASM is blocking the SSO, so if possible test without an ASM policy out of working hours and check if that is the case and if needed check the articles I have given for ASM and APM integration. As if you followed then ASM if before the APM (normally it is AFM > LTM > APM > ASM) but by following the article with layered VS then the ASM is first and maybe it could be blocking something if not configured corectly.




For the demo_default VS if you don't have access policy or profile then the SSO shouldn't work as even the global profiles will not work if there is no access profile under the VIP.




Just a note with irules you can dissable and enable the SSO . Also with the variable assign agent you can modify the SSO as for example the user logs into the APM with username and password but the backend server wants other username (username with a domain attached and so on) . If the SSO you use by default does not have an option you need check the variable assign agent.





Also check out:


and the below article as each access profile should have the SSO credential mapping (you may also use the variable assign macro) for SSO to work.




okay, let me try this from a different angle then based on this



For the demo_default VS if you don't have access policy or profile then the SSO shouldn't work as even the global profiles will not work if there is no access profile under the VIP.



so lets say I want people to freely get to

but when they hit


I want them to login, especially I want them to use a global SSO (


so from what I have read


I create a VS for which is just a big switch to these vs and also has a ASM attached to the front << this has a APM


You are saying to get SSO working properly, I need to attach a APM to vs


can I have a APM that just allows every one with out doing any checking ?










Can you check this post :



The idea is to have with the same SSO object in Access profile and the access profile will do no more checks but just have the SSO.




You can use the multi domain to redirect from to if no aythenticated but as you have the F5 ASM Login Page protection, you will simply block access to the other URL if the login page is not hit fitst.


Thanks for all your help. That last document is about where I started from.


I think my next step is to try apply APM to the vs and some how allow any access


You just need to add the same SSO object and add only allow action at the end of it in the access policy (the main access profile and the one for the default VIP need to be with a scope global) or better yet you can just add the same profile with a profile scope "Profile" for and and when the user logs in after that they try to access the, they will not need to again pass the profile checks as there is a created session for the user when they accessed 🙂 Test it out lab it out and it will work.


AskF5 | Manual Chapter: Understanding Access Policies




With ASM enforce login page you will block the users from first trying to enter before



AskF5 | Manual Chapter: Creating Login Pages for Secure Application Access



F5 has trial license for Vmware so test it in your hope. Also go to learn F5 and pass the getting started for ASM/APM and if needed LTM:





Also check the operations guides they are great:



I'm a bit lost here.



 With ASM enforce login page you will block the users from first trying to enter before



But I don't want people to have to login to access the site by default - only some uri.



Let me rephrase it back to you

vs-auth << main auth ltm prolicy to vs-auth-apm

vs-auth-apm has apm attached


vs-demo << main vs, using irule to send to other vs. also a policy profile that turns on ASM with a profile


vs-demo-default << all the default traffic , no access profile - nothing special


vs-demo-validsso << has access profile . policy is start -> sso variable -> accept

This sort of works, the F5NetworkSSO uri still doesn't work not picked up by vs-demo or vs-demo-default. right now I map this to vs vs-auth or vs-demo-validsso not the best but


vs-demo-validip << has access profile and per request profile ... it fails (by design to test). the fail page fails . even when i map the url to vs-auth or vs-demo-validsso it fails, seems like it is only process properly by vs-demo-validip


sso is setup as multidomain and all the access profiles (per session) are setup as global.



So ... what I am trying to do is insert into the headers what vs the call was from so I can map /public /vdesk /F5Networks back to that vs. not ideal, in fact rather bad as i would think it should just work... but ..










If the last answer is good enough for you can you mark it as solved, so that question will be marked as resolved.


So I have found a working answer


based upon this


basically attach access profile and per request profile to first VS


then use irule to turn access on and off where needed


so i have a switch that pulls out the protected url


and a default that turns it off, except if hrmsession is not empty !


the one issue which i worked around is the sso forms based login uri including /


not sure I fully understand how the sso is supposed to work .. another thread


this works really well its all in 1 vs so ...