Form-based Client-initiated SSO - does NOT inject JS
Hi, i'm writing this article since i had this issue and i couldn't find any documentation to this behavior so i hope this can save you guys some time. My issue was that after configuring Client-initiated SSO and trying to run it i could see that APM identifies the request and match the form but for some reason i couldn't find any signs of Auto/Custom JS injected in the response. also couldn't find any logs (Debug) indicating the problem. After working with support the reason for that was a missing "Content-Type" header in HTTP response of the login request (in my case it was QlikSense app) the next thing you think is - Ok i'm gonna add it in HTTP_Response irule event but according to support the an additional VS is required to make it work (probably due to sequence of events). I decided to try the irule (HTTP::header replace ) on the same VS and guess what ? it worked! Enjoy
When SSO Fails - Redirect user to logon page
Hey everyone! I’m having some issues with retriggering the clients to the initial APM logon page based on failed SSO logon. There is supposed to be a variable that triggers when SSO fails and I’m seeing it in my sessiondump based upon my SSO profile but the session variable defined in the following article: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/24.html is never set. It should be the following variable: session.logon.last.username.sso.state On my BIG-IP I have the following SSO State variable set: In our case this is not a Kerberos SSO and perhaps that is necessary to trigger the state variable (we use Client Initiated Form Based SSO). What do I have to do to match the above variable? I have tried numerous of different combinations, but none work. Including the original variable above. I have even tried to create a session variable in the VPE based on the original variable but with the same result. As soon as I can match that variable then I can send the correct redirect.
