Forum Discussion

drumik_61546's avatar
drumik_61546
Icon for Nimbostratus rankNimbostratus
Dec 19, 2014

needs to some help with IRule that will assign sso

I'm trying to figure out a cleaner way to redirect clients when they try to access web page directly without login first to the portal

 

Setup:

 

2 portal pages and 2 domains 2 internal applications that not suppose to be accessible directly 2 sso

 

My iRule for internal application

 

when ACCESS_ACL_ALLOWED { set domain [ACCESS::session data get "session.ad.last.actualdomain"] set authresult [ACCESS::session data get "session.ad.last.authresult"]

 

if { $domain == "internal.org" and $authresult == 1 } then { WEBSSO::select internal.org_ntlm_sso

 

} elseif { $domain == "external.local" and $authresult == 1} then { WEBSSO::select external.local_ntlm_sso This part doesn't work

 

else { log local0. "Authentication Failed HTTP::redirect "http://something.org"

 

} }

 

Second iRule to handle error 20 when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable }

 

when HTTP_REQUEST { if { [HTTP::uri] ends_with "/my.logout.php3?errorcode=19" or [HTTP::uri] ends_with "/my.logout.php3?errorcode=20" } { HTTP::redirect "http://something.org" } }

 

APM policy for internal sites: Start-Allow

 

301 redirect
BIG-IP Access Policy Manager (APM)
security
websso

2 Replies

Sort By
  • drumik_61546's avatar
    drumik_61546
    Icon for Nimbostratus rankNimbostratus
    Dec 19, 2014

    Thanks

     

    I ended up going an easier way. All redirect that I tried didn't work with in ACCESS_ACL_ALLOWED I was keep getting "/my.logout.php3?errorcode=20" Will continue using original iRule

     

  • Michael_Jenkins's avatar
    Michael_Jenkins
    Icon for Cirrostratus rankCirrostratus
    Dec 19, 2014

    The way that I've done it in our environment is the check for a valid APM session on each request. If there's no valid session, then redirect the user. 

    when HTTP_REQUEST {
    if { not ([ACCESS::policy result] equals "allow") } {
        HTTP::respond 302 "http://something.org" "Connection" "Close"
    }
}

    You could also perform a cookie check for MRHSession and LastMRH_Session cookies, which contain the session id for the APM session. If those don't exist, you know there's no valid session.

    if { not ([HTTP::cookie exists "MRHSession"] || [HTTP::cookie exists "LastMRH_Session"]) } {
    HTTP::respond 302 "http://something.org" "Connection" "Close"
}

    This is a very basic way of checking, but should be effective. the 

    [ACCESS::policy result]
    will be 
    "allow", "deny" or ""
    from what I've seen. So you could make the checks more complex if necessary, but this should give you an idea.

    You can check out the this link for more info on ACCESS::session.