Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

iRule - jwt is generated prior to authentication

Go to solution
keda
Nimbostratus
Nimbostratus

‎21-Feb-2023 10:58

Hoping you guys could shed some light on this, all our efforts have failed so far

Scenario:

  • Client hits https://service.com/example
  • Initial uri is stored in an sessions variable called session.server.landinguri
  • Client is redirected to IdP(F5 SAML federation with IDP)
  • Authentication takes place and if completed the client is redirected to the landinguri and a jwt is signed and generated via an iRule (signature, username etc)
  • jwt is passed to the URI (yes, the applications requires this. HTTP header via authorization header is not supported)

We have tried generating the jwt in the APM but are unable to decrypt it in to proper format for appending to the URI. This is why we are doing this in an iRule

Our problem is that the iRule jwt is being generated at the start of the APM in the initial session BEFORE the authentication is taking place which results in e.g an empty username being displayed. We have been experimenting with ACCESS_POLICY_AGENT_EVENT but cant get things to work as it still picks up the jwt that is generated prior to SAML authentication.

When debugging we can see 3 jwts being generated in the flow, the first one with an empty username, the following 2 (after successful auth) contain the correct info.

Any advice on troubleshooting this is highly appreciated!

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
keda
Nimbostratus
Nimbostratus
In response to Lucas_Thompson

‎23-Feb-2023 06:26 - edited ‎23-Feb-2023 06:47

Thanks @Lucas_Thompson for helping out. ACCESS_ACL_ALLOWED did not help but your input lead us to try ACCESS_POLICY_AGENT_EVENT with a different approach and it appears to have done the trick!

Thanks again

View solution in original post

2 REPLIES 2

Go to solution
Lucas_Thompson
F5 Employee
F5 Employee

‎22-Feb-2023 10:54

Hi Keda, it sounds like an interesting use case. As you've found, a per-session policy only executes a single time at the beginning.

To make the code execute upon every request, you can use Per-Request policies (and call your irule from there) or you can use iRules (use the ACCESS_ACL_ALLOWED event so you're inside the user's session context). In either Per-Request or iRules you can append an HTTP header to the user's request. Use the "http header replace" function (https://clouddocs.f5.com/api/irules/HTTP__header.html), as it will replace any existing and potentially incorrect user-supplied header.

0 Kudos

Go to solution
keda
Nimbostratus
Nimbostratus
In response to Lucas_Thompson

‎23-Feb-2023 06:26 - edited ‎23-Feb-2023 06:47

Thanks @Lucas_Thompson for helping out. ACCESS_ACL_ALLOWED did not help but your input lead us to try ACCESS_POLICY_AGENT_EVENT with a different approach and it appears to have done the trick!

Thanks again

Copyright © 2023 Khoros, LLC