OAuth SSO
Hi All, we'd like to secure the access to a backend portal with OAuth (F5 Authorization Server and F5 Client/Ressource Server). We aleady configured 2 Virtual Servers and 2 Access Profiles access profile 1 for the backend application (OAuth Client and Scope Agents) access profile 2 for the OAuth AS (Logon Page, LDAP Auth and OAuth AS Agent) The login and the OAuth (OIDC) works with the backend via id_token. Idea was to ask the user ONCE for his LDAP Credentials and then authorize the user in subsequent authorization requests from client applications WITHOUT asking for entering his credentials again. What we see in the session logs is, that the authorization server session always ends with "session deleted (oauth_finished)" once the authorization request has successfully ended, hence the users LDAP information is destroyed together with the "session deleted" Is it possible to get some kind of SSO so that the users credentials is stored in the client for subsequent authorization requests and that the logon page can make use those credentials without prompting the user to login manually again? Thanks Steffen
APM Single Sign-On: Forms - Client Initiated j_security_check issue
Hi, I'm trying to use "Single Sign-On: Forms - Client Initiated" to pass the Okta credentials to a web application running on Tomcat. The web application is returning the following form: <form data-empty-path="/APG/empty.html" id="login-form" method="post" action="j_security_check" > <input type="text" id="username" name="j_username" value="" tabindex="1" placeholder="User Name"/> <input type="password" id="password" name="j_password" value="" tabindex="2" placeholder="Password"/> <span class="error-message"> </span> <button type="submit"tabindex="3" class="ui-button ui-widget ui-state-default ui-state-disabled ui-corner-all ui-button-text-only"><span class="ui-button-text">Login</span></button> </form> My Form Definition settings are the following: - name = insightful_java - Detect request for form by: "URI" with Request URI: "/APG" - Identify Form by: Form Parameters with j_username=%{session.sso.token.last.username} and j_password=%{session.sso.token.last.password} - Disable Auto detect submit = No - Detect Login by = None - Javascript Injection = Auto Under these conditions I see that the form is not automatically filled in the /APG/j_security_check?f5-sso-form: insightful_java sent by my browser. Or better, I can see that the request is sent with query string parameter = "f5-sso-form: insightful_java", but the "Form Data" is empty My understanding is that the auto generated javascript code used with this setup is the following: <script> document.body.onkeydown=function(e){return false;}; document.body.style.visibility='hidden'; document.body.style.display='none'; function __f5submit() { var __f5form = document.forms[0]; __f5form.setAttribute('autocomplete', 'off'); __f5form['j_username'].value='giv'; __f5form['j_password'].value='f5-sso-token'; ; var __f5action = __f5form.action; var __f5qsep = (__f5action.indexOf('?') == -1) ? '?' : '&'; __f5form.action = __f5action + __f5qsep + 'f5-sso-form=insightful_java'; ; __f5form.submit(); } if (window.addEventListener) { window.addEventListener('load',__f5submit,false); } else if (window.attachEvent) { window.attachEvent('onload',__f5submit); } else { window.onload=__f5submit; } </script> Can you please help me to address this issue? Thanks. Roberto
Assigning SSO profiles to different Portal Access items on a full Webtop
I have a webtop that displays an array of portal access objects based on APM's authentication and authorization (v12.1.2). There is an SSO profile assigned to the APM profile, but many of the portals link to apps that require a different SSO profile. On the portal access object, there is a single resource with a host name matching the Application URI, and a path of '/'. A different SSO profile is set here for those apps that can't use the default profile. It appears that the new profile is not assigned. APM Debug logging shows it attempting (and failing) to match against the URI list for the default SSO, not this app's SSO. I know that the individual SSO profiles are good, because I can change each one in for the default, and the apps that want that profile do SSO correctly. The rest go to double logons. How is this supposed to work?
F5 IDP - ASP.NET SAML SSO example
Looking to add F5 IDP (APM) to our product SSO providers. We already connect to Azure AD (https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-aspnet-webapp), Okta (https://github.com/okta/samples-aspnetcore/tree/master/samples-aspnetcore-2x/self-hosted-login) and others using owin. There is an asp.net sdk or guide we can follow? Thanks!
