form
3 TopicsSubsequent Form Based SSO
Problem this snippet solves: After performing a successful APM Form Based SSO it can happen that the backend website will expire the user session while the APM session is still active. When this happens, the user will see the logon page of the backend website and needs to login again. This code snippet will try to detect that the user is being redirected to the backend website login page and will perform a Form Based SSO again by using the credentials from the active APM session. How to use this snippet: When using this code snippet, make sure you set the below shown variables to match your environment. set static::start_uri set static::form_action You should also use the Variable Assign agent in the VPE to set the APM session variable session.custom.form_based.password with the users password. This password will be used to perform the subsequent Form Based SSO. Use the following custom expression: return [mcget -secure {session.logon.last.password}] . Code : when RULE_INIT { set static::start_uri "login.html" set static::form_action "/F5/form_based_login/login.php" set static::form_html { Your browser does not support JavaScript, press the Continue button once to proceed. } set static::form_html [string map "form_action $static::form_action" $static::form_html] } when HTTP_REQUEST { if { [HTTP::cookie exists MRHSession] and [ACCESS::session exists -state_allow -sid [HTTP::cookie MRHSession]] } { set active_session 1 if { [HTTP::method] equals "POST" && [HTTP::uri] equals $static::form_action } { set collect_length 2048 if { [HTTP::header Content-Length] eq "" } { set collect_length $collect_length } elseif { [HTTP::header Content-Length] == 0 } { unset collect_length } elseif { [HTTP::header Content-Length] > $collect_length } { set collect_length $collect_length } else { set collect_length [HTTP::header Content-Length] } if { [info exists collect_length] } { HTTP::collect $collect_length } } } } when HTTP_REQUEST_DATA { # the session.custom.form_based.password variable needs to be set via a variable assign agent in the VPE. set username [ACCESS::session data get session.logon.last.username] set password [ACCESS::session data get session.custom.form_based.password] HTTP::payload replace 0 [HTTP::payload length] "username=$username&password=$password" } when HTTP_RESPONSE { if { [info exists active_session] } { if { [HTTP::header "Location"] equals $static::start_uri } { if { [ACCESS::session data get session.custom.first_redirect] == 1 } { # this is the subsequent redirect which is not covered by APM Form Based SSO HTTP::respond 200 content $static::form_html } else { # this is the initial redirect which is covered by APM Form Based SSO ACCESS::session data set session.custom.first_redirect 1 } } unset active_session } } Tested this on version: 13.0352Views0likes2CommentsAPM Single Sign-On: Forms - Client Initiated j_security_check issue
Hi, I'm trying to use "Single Sign-On: Forms - Client Initiated" to pass the Okta credentials to a web application running on Tomcat. The web application is returning the following form: <form data-empty-path="/APG/empty.html" id="login-form" method="post" action="j_security_check" > <input type="text" id="username" name="j_username" value="" tabindex="1" placeholder="User Name"/> <input type="password" id="password" name="j_password" value="" tabindex="2" placeholder="Password"/> <span class="error-message"> </span> <button type="submit"tabindex="3" class="ui-button ui-widget ui-state-default ui-state-disabled ui-corner-all ui-button-text-only"><span class="ui-button-text">Login</span></button> </form> My Form Definition settings are the following: - name = insightful_java - Detect request for form by: "URI" with Request URI: "/APG" - Identify Form by: Form Parameters with j_username=%{session.sso.token.last.username} and j_password=%{session.sso.token.last.password} - Disable Auto detect submit = No - Detect Login by = None - Javascript Injection = Auto Under these conditions I see that the form is not automatically filled in the /APG/j_security_check?f5-sso-form: insightful_java sent by my browser. Or better, I can see that the request is sent with query string parameter = "f5-sso-form: insightful_java", but the "Form Data" is empty My understanding is that the auto generated javascript code used with this setup is the following: <script> document.body.onkeydown=function(e){return false;}; document.body.style.visibility='hidden'; document.body.style.display='none'; function __f5submit() { var __f5form = document.forms[0]; __f5form.setAttribute('autocomplete', 'off'); __f5form['j_username'].value='giv'; __f5form['j_password'].value='f5-sso-token'; ; var __f5action = __f5form.action; var __f5qsep = (__f5action.indexOf('?') == -1) ? '?' : '&'; __f5form.action = __f5action + __f5qsep + 'f5-sso-form=insightful_java'; ; __f5form.submit(); } if (window.addEventListener) { window.addEventListener('load',__f5submit,false); } else if (window.attachEvent) { window.attachEvent('onload',__f5submit); } else { window.onload=__f5submit; } </script> Can you please help me to address this issue? Thanks. Roberto711Views1like0CommentsWindows Edge Client to NOT remember username and OTP form fields?
Hi all, I only allow Edge Client installed on laptops to connect to F5 APM's Virtual Server. To capture user credentials, a small browser window will pop-up to capture username and password. With the no-password-caching setting, the password form field will always be blank. However, I realize the username field is always populated with previous username and the OTP field is also populated (black dots) with previous pass code. I have even tried editing the Internet Explorer setting to not auto-complete or remember form fields. Any idea on this? Thanks!284Views0likes1Comment