Forum Discussion

LarsS__178188's avatar
LarsS__178188
Icon for Nimbostratus rankNimbostratus
Mar 22, 2016
Solved

APM - Delete SSO credentials after login

Hello everybody,   I couldn't find any solution on my issue so far, so I try my luck here.   We use APM to access a SAP Portal. To realize SSO with the F5 and the SAP Portal login side, our One...
application delivery
BIG-IP Access Policy Manager (APM)
SSO
  • Josiah_39459's avatar
    Josiah_39459
    Mar 22, 2016

    Is the BW app a pool or a weblink or what? If SSO is being applied that means the request must be passing through the F5, so on whatever vip gets the request, check the HTTP_REQUEST event [HTTP::uri] and apply SSO::disable accordingly.

    e.g.

    when HTTP_REQUEST {
  if { [HTTP::uri] starts_with '/blahblahblah' } {
    WEBSSO::disable
  }
}

    or

       when ACCESS_ACL_ALLOWED {
      if { [HTTP::uri] starts_with '/blahblahblah' } {
        WEBSSO::disable
      }
    }

    similar depending on your app and f5 config

Walter_Kacynski's avatar
Walter_Kacynski
Icon for Cirrostratus rankCirrostratus
Mar 23, 2016

There are many ways to accomplish this. Here is a method that I have used to hardcode static accounts. The downside to this approach is that the password would be coded in plain text in the big-ip configuration. Depending on your setup this may or may not be a problem. I chose not to use the HTTP Basic Auth SSO object since it requires more coordination and the task can be solved with a single iRule.

when ACCESS_POLICY_COMPLETED {
    switch [ACCESS::session data get "session.policy.result"] {
        "allow" {
             Setup BW SSO Object with a custom session variable that stores the base64 encoded version of username:password
            ACCESS::session data set -secure session.custom.sso.bwAuth [b64encode StaticUsername:StaticPassword] 
        }
    }
}

when ACCESS_ACL_ALLOWED {
    switch -glob [HTTP::uri] {
        "/bw*" {
             Insert the pre-constructed Basic Auth header for this URL
            HTTP::header replace "Authorization" "Basic [ACCESS::session data get -secure session.custom.sso.bwAuth]"
        }
    }
}