CirrusValidate client SSL against 3rd party service before allowing access? (eIDAS)
Hi all, looking for some advice for a recent request that's come my way and wondering if we can handle it all on-box with BIG-IP or if we need an additional application layer in the mix.
In simplified terms, we need to validate a client certificate presented to us against a 3rd party API, and if it's valid then reverse proxy the traffic to an existing web application (plus write out an audit log event).
Basic flow would be:
- client presents their certificate to BIG-IP
- BIG-IP makes an OAuth2 request to the 3rd party API to get an access token
- BIG-IP makes second request to 3rd party API using above access token, and passes the client certificate info in PEM format to API
- API responds with JSON data detailing whether the certificate is valid along with other data pairs
- BIG-IP parses JSON data (according to as-yet TBC policy rules) and if valid proxies traffic to the downstream web app - if not valid then connection would be killed
Also requires thought about session management with the downstream app, audit logging etc, but I'm not clear on what the best approach to take with this might be - is it doable purely via iRules or would it need an element of APM (or even iRulesLX which I've not dabbled in as yet)
Or is it cleaner to have a separate application server handling the above and we just proxy the traffic back and forth as needed.
Any suggestions/codeshares would be welcomed!
Thanks,
Dan