WEBSSO profile selection in LTM Policy
Problem this snippet solves: Starting with version 11.4, HTTPClass is replaced by Local traffic policies which allow to replace complex iRules by a organized list of rules. When we configure a long list of rules in one policy, there is always one irule feature which is not available in Policies. The first solution is to keep the irule to manage all Pool selection. The problem is lots of customers are migrating from Microsoft ForeFront TMG to F5 and convert TMG rules to irule can be very difficult. In such migration, customers share one IP for several URLs which require dedicated SSO (OWA with form based authentication, IIS with NTLM, tomcat with basic...) As Policy event REQUEST is executed before iRule event HTTP_REQUEST and "tcl set-variable" action allow to define a variable, we can combine Policies for Human readable rules and irule to execute irules features. The following code allow to change WebSSO profile by assigning the SSO profile name in a dedicated variable. How to use this snippet: In Local traffic policy rule, add the action (Variable name and expression are case sensitive): tcl set-variable name WebSSO expression [Name of SSO Profile] In the virtual server, enable the following irule: Code : when HTTP_REQUEST { if {([info exists "WebSSO"])} { WEBSSO::select $WebSSO } } Tested this on version: 11.4SSO Successful Logon Detection Match Type
What is the purpose for this configuration item? Successful Logon Detection Match Type What internal process does it trigger within the WEBSSO processing? My applications seems to function (perform SSO) just fine with or without this information being configured. Thanks.
WebSSO - Multiple detections or single time?
Hi all, Quick question on WEBSSO. User logs into F5 APM -> Provided a Portal (With SSO Config) -> Backend Application launches, SSO kicks in and logins -> User works on application, then clicks logout (NOT APM logout, just app) -> Sent to application logon screen. Will SSO kick in the second time? My view suggests it fires one and then disables itself so the next time the start uri comes up nothing happens from Big-IP. If it is single firing, is there a way to ensure it logs the user back in immediately? I know this is a bit odd, and most people would force APM to logout when the app does, but we can't for other circumstances
needs to some help with IRule that will assign sso
I'm trying to figure out a cleaner way to redirect clients when they try to access web page directly without login first to the portal Setup: 2 portal pages and 2 domains 2 internal applications that not suppose to be accessible directly 2 sso My iRule for internal application when ACCESS_ACL_ALLOWED { set domain [ACCESS::session data get "session.ad.last.actualdomain"] set authresult [ACCESS::session data get "session.ad.last.authresult"] if { $domain == "internal.org" and $authresult == 1 } then { WEBSSO::select internal.org_ntlm_sso } elseif { $domain == "external.local" and $authresult == 1} then { WEBSSO::select external.local_ntlm_sso This part doesn't work else { log local0. "Authentication Failed HTTP::redirect "http://something.org" } } Second iRule to handle error 20 when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } when HTTP_REQUEST { if { [HTTP::uri] ends_with "/my.logout.php3?errorcode=19" or [HTTP::uri] ends_with "/my.logout.php3?errorcode=20" } { HTTP::redirect "http://something.org" } } APM policy for internal sites: Start-Allow
Seamless login from ntlm to form based authenication
I wonder if it's actually possible: Implement seamless login for the application Let's say user access home page. Home page is hosted on the IIS with integrated authentication (NTLM) Is it actually possible to grab user credentials, append domain name and use form based SSO to login to some other websites without installing any F5 plugins to the users workstation Thanks
