RelayState Parameter Value for F5 (as IDP) initiated connection to Google Apps/Mail
Hello Experts, I am trying to create a SAML SSO. Below are the details F5 is acting as IDP Google GSuite is acting as SP (we intent to use gmail, drive etc from google with Auth by F5 APM) When I try IDP initiated connection, i.e. Click on the SAML SSO link published in Webtop, I am getting an error from google, which says "The required response parameter RelayState was missing" I have not configured any relaystate parameter in F5 under SAML SP Connector configuration. (rather i dont know what to configure) I tried to search a lot but not getting a definitive working parameter to be used as relay state. Anyone got that working, please let me know how we can get this working or what relay state parameter shall i use when using F5 as IDP and google as SP, and the connection is IDP initiated.
google 2fa irule error
I'm struggling with this error when doing "load sys config verify [use curly braces to avoid double substitution] full error message /Common/Google_Token:131: warning: [use curly braces to avoid double substitution][(0x{[string range ${token} ${offset} [expr {${offset} + 7}]]}] The irule line in original code was set ga_code [expr (0x[string range $token $offset [expr $offset + 7]] & 0x7FFFFFFF) % 1000000] And I changed it to set ga_code [expr (0x[string range ${token} ${offset} [expr {${offset} + 7}]] & 0x7FFFFFFF) % 1000000] I'm able to connect to APM and passing the token , it is working fine there, but this cannot get rid of this error message Any one can help with the correct syntax ? article https://support.f5.com/csp/article/K57410758 seems not to be very helpful
Excluding google from geolocation with IRULE
Hi, I am interested in an irule that will exclude google IPs from geolocation blocking. Since Google's IP list is dynamic, I need a way to take this list and turn it into a data group on a regular basis. The list is here: https://developers.google.com/search/apis/ipranges/googlebot.json And the ranges are here: https://www.gstatic.com/ipranges/goog.json Any ideas? Anybody done this already? Thanks, Vered
HTTPS rewrite to HTTP.
Hi Everyone, Yes, you read that right, I want to change HTTPS bound traffic to HTTP and was wondering if this can be done via an iRule? I have seen lots of threads for HTTP to HTTPS, but not the reverse. Background: We have a content filter at our business and people are able to circumvent Google safesearch by using HTTPS://www.google.com Because the request is SSL our content filter can't inspect the traffic and therefore append "?safe=active" to the URI. (We can't deploy SSL interception technology on our Content filter for a whole host of political reasons that I won't go into here...) Everyone on our network uses the VIP on the F5 to get to the content filter, Can the VIP inspect the initial Request and append the needed URI to the request via irules?? Thanks you in advance!Google Analytics different code for Multiple Sites
Hi All, I am trying to figure out how to make different Google Analytic codes work for multiple sites. I found this on the good old interewebz/DevCentral listed below. However, when I create a second iRule and change out the gacode for another code I still see one GA code dominate both sites. I see now that Rule_INIT is a global call and I'm just not sure how to switch it up to make this work. Could any of you awesome people help me here? I've tried messing with streams to change it out and also thinking maybe my answer might be in the client_accept call, but I'm just kind of green here. Thanks in advance. Code when RULE_INIT { set ::find "" set gacode "UA-Code-x" set ::replace " " } when HTTP_RESPONSE { STREAM::disable if {[HTTP::header value Content-Type] contains "text"}{ STREAM::expression "@$::find@$::replace@" STREAM::enable } }Help with creating script
Currently we are using the google authenticator with our F5 implementation. We provide our users with a shared secret key and store the same key in our Active Directory for later reference. So basically we add a sample key like this to one of our AD fields: GVUEYVDJMNSFIMD2 So basically i have a ton of users with this setup in their AD fields. One of the issues i have with our setup is the fact the key we store in Active Directory is too visible to others in my organization. So a friend point this link to me and I think it will fix my concerns: https://devcentral.f5.com/questions/apm-active-directory-authention-with-google-auth So we add the following code to the google authenticator generator page: append ga_secret_http_resp "key (secret): $secret_b32\n \n " set key "3658F2C8C5C2017839B2B1761F713F8B" set iv "DC4F6A9A1C6D12C15FEC43179660C78B" set enc_ga_secret [b64encode [CRYPTO::encrypt -alg aes-128-cbc -keyhex $key -ivhex $iv $secret_b32]] append ga_secret_http_resp "encrypted secret: $enc_ga_secret\n" append ga_secret_http_resp "\n" Users are provide the key GVUEYVDJMNSFIMD2 and we now add this encrypted key 3qqb/Yr1gSblF99F8/XkgJVFG5vs9KG5OwflwLHkU9I= to AD. The F5 can then decrypt the key and it works great. However, I now need to create a script that will take the remain shared key we have in everybody account and encrypt it. I was hoping someone knew a little power shell or some other scripting language that could help me out of this jam!