Forum Discussion

jtlampe's avatar
jtlampe
Icon for Cirrus rankCirrus
Dec 02, 2020

SSO credential mapping with Symantec

We are trying to build an APM policy that uses Symantec push authentication. I need to still be able to do SSO credential mapping to the backend application. However with Symantec appending a set of characters to the end of the user's password before it is set as the session.logon.last.password variable is breaking any SSO credential mapping we can without having two separate login pages. Is there an iRule that I can write that would take the users password and remove the added characters and make a new variable that I call in the mappings?

APM
application delivery
iRules
security

2 Replies

Sort By
  • jtlampe's avatar
    jtlampe
    Icon for Cirrus rankCirrus
    Mar 05, 2021

    We found the solution. We had to work inside the policy to assign session variables and remove the additional code that Symantec was adding to the password. This allowed us to take the full password (with symantec code) and send it to radius as a named variable, and have the last.password be the actual user's password to check it against AD since you cannot name the variable to be used for AD auth.

  • Chris_Wentland's avatar
    Chris_Wentland
    Icon for Nimbostratus rankNimbostratus
    Dec 07, 2020

    The String Range can help you accomplish what you're looking for. Sample below!

    when RULE_INIT {
    set user_password "password123456"
    log local0. "User Input Password: $user_password"
    set clean_password [string range $user_password 0 end-6 ]
    log local0. "Cleaned Password: $clean_password"
}

    Dec 7 08:30:04 bigip info tmm5[31075]: Rule /Common/password_length_rule <RULE_INIT>: User Input Password: password123456

    Dec 7 08:30:04 bigip info tmm5[31075]: Rule /Common/password_length_rule <RULE_INIT>: Cleaned Password: password