Need help with Client-Initiated Form SSO
Standard forms-based SSO doesn't work with a home-grown web app I am trying to get SSO working for. I've read through the manual page for APM for client-initiated forms. Following that manual I still can't get it to work. Below is the sequence for the web page on how you get to the POST of the forms. 1) GET 2) Response is a 302 to 3) The GET to results in a 302 to dynamic string here" 4) POST to dynamic string here" with forms for redirectUrl (blank value), userName, and password. Below is my current config. I can't find a way to include the redirectUrl form parameter with a blank value. I'm not certain that is why it isn't working. I think that, combined with I don't know how to set this up to capture that dynamic string and pass that through as part of the request-value, is why it isn't working. As usual any help is much appreciated. My testing indicates that including that dynamic string is necessary. forms { FormProfileName { controls { password { secure true value "%{session.sso.token.last.password}" } userName { secure true value "%{session.sso.token.last.username}" } } request-value https://www.webapp.org/abc/portal/connect/home/login/ success-match-type url success-match-value /abc/myportal/connect/home/word/* } }
APM Forms-based logon with NTLM SSO Backend
I've been fighting this a bit and not finding the solution on other DevCentral Articles. Goal Synopsis: User opens internet portal page. Presented with Forms-based login page, user enters this username (e.g. firstinital.lastname) and password A chain of 5 AD forests is tested against this username. On Success, the F5 passes NTLM auth to a backend webserver, in this instance sharepoint 2016. What's working: Everything up until the SSO mapping/ntlm result which needs to be passed to sharepoint. Below is the flow I've made, NTLM auth result I threw in as a test, the message boxes are just debug to see which branch is hit without digging in logs. The All AD Auth is the AD chain I mentioned, I'm also assigning a variable after each success to set the session.logon.last.domain to the corresponding AD in case it's needed later in the chain. I'm also doing a basic 401 challenge for internal NTLM and redirecting to either internal or logon page based on client IP. Backend things: BIG-IP 13.1.1.2 Build 0.0.4 Point Release 2 NTLMv2 SSO is on the SSO cred mapping, however, it's targeting 1 domain only. This one domain is the hub in a hub/spoke AD trust layout, so any user from any domain can auth to it. I'm using iRules to handle the resource assignment since I'm directing to pools based on the hostname requested (we have a lot, it's annoying), but isn't an issue. I've not set up that one NTLM setting I can't remember off the top of my head that can only be done via TMM CLI because I could only find it mentioned in version 11 or older BIG-IPs. Next Steps: I'm really not sure, everything I've been finding says this should be working but it's not and I can't find anything on DevCentral that matches what I'm trying to do. It's all either been 401 challenge pages or something to do with SSO to MS Exchange. So I'm throwing this on here hoping someone has an idea as to what I'm missing.
Forms-Based Client-Initiated SSO - Some Basic Principals
I realise that there are already quite a number of questions on DevCentral relating to forms-based client-initiated SSO in APM, but I wondered if anyone could help me to understand some basic principals which would then assist me to find a solution to a problem I am having. I am attempting to perform SSO to an IBM Jazz Team Server (JTS) instance made available as an APM portal resource. JTS uses the Dojo toolkit to present a login form to users and overrides the standard 'submit' action with dojoAttachEvent. Obviously I don't expect a working solution for the above but in order to help me to work out it for myself I need to understand a few basic principals of how custom javascript is handled by the SSOv2 form handler. Are custom javascript replacements/amendments only injected into the page by APM once the form is identified or when the login criteria is matched? Is form identification performed once the page has fully loaded and the DOM is ready or prior to that point? Understanding at which point APM attempts form identification and whether it is a pre-requisite for using custom javascript would be really helpful. Many thanks.
