apm irule
4 TopicsACCESS::session sid fails some times
Hi I have something like this if { ( [ACCESS::session exists] ) } { set un_ec_sid [ACCESS::session sid] some other stuff } and I get in /var/log/ltm session ID lookup failed - Expired (line 1) invoked from within "ACCESS::session sid" not sure how that can fail the exists statemant confirms its valid but then suddenly it dies ? also is the SID the same as MRHSESSION Cookie ?407Views0likes2CommentsHow to get SSO information from 1 vcmp to another
Hi My setup I have a cluster 2 nodes called vcmp1 on here I have 2 VS login (saml idP) auth (saml SP and a OAuth server) I have vcmp2 cluster and it has VS test - it uses oauth client - so links back to auth and auth to login What this means is people log into the login server - think username and password. I can get username to transfer from login -> oauth -> test using saml and claim for userid in the OAuth token But I don't want to put the password in there - even if its encrypted (do others do this, just seems bad) On the test VS i need the users password to log into a backend app that doesn't take oauth or saml (think atlassian server) My understanding is I can extend an APM session from 1 vcmp to another (bigip to another). I was thinking to do a sideband call to login filter that to only be allowed to be called by the F5's and grab an excrypted password that way so client call test/uriForJira In a irule if i don't have a password, I 302 to login/getMySession login/getMySession return via 302 say test/uriForJira?MySession=<sessionid - basically MRHSession> then vcmp2 makes a sideband call to login/FROMVCMP2?MRHSession - which would return the password encrypted with AES 256. Does that seam reasonable Do i do it in irules or irules.lx (node.js) Or is there another way to do this ?492Views0likes2Comments2 factor authentication with different timeouts
I have some APM policy working with one and two factor authentication. But now we need to have a two factor authentication with different timeouts for the second factor. Example: Client connect in the morning and have a full login with 2 factor. First is LDAP second is RSA over Radius. After 2 hours the client come back and need a re authentication but now we want to check only LDAP. But after one day we want both factors. Idea is to write an additional cookie with encoded string of username and last logon. Then the F5 can check this during the authentication and/or set. But I don’t know how. Thanks for our help553Views0likes3Comments