Forum Discussion

writemike's avatar
writemike
Icon for Nimbostratus rankNimbostratus
Jul 03, 2014

Use APM HTTP Auth to send a SOAP Message for OTP

Hello, I recently read this article on implementing a OTP solution in our APM via SMS:

        https://devcentral.f5.com/articles/one-time-passwords-via-an-sms-gateway-with-big-ip-access-policy-manager

In this article the OTP is sent to the client via an HTTP API, of the SMS provider, which used an HTTP Auth Server to communicate with the SMS provider. I would like to implement this same solution using a SOAP API, but I'm not sure what to populate the fields of the AAA HTTP Server with. I have successfully implemented this using an e-mail irule to the SMS provider and it works well, but we would like to encrypt the message via HTTPS and the provider only supports SOAP.

I was hoping that I could just paste the following output (from soapclient.com) into the "Hidden Form Parameters/Values", but it doesn't seem to be that simple. Any suggestions or other F5 doco I could reference?

1234567890987654321Test MessageMessage

The WSDL of the SMS Toolkit methods is located at: http://xml.redcoal.com/soapserver.dll/wsdl/ISoapServer

Thanks for your help, -Mike

BIG-IP Access Policy Manager (APM)
deployment
http aaa
security
soap

4 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 03, 2014

    Just spit balling here, but assuming the SOAP message you need to send is in the HTTP payload and not HTTP headers, I don't believe the HTTP Auth mechanism will work for you. For this you'll likely need to do something more manual like a sideband call, which you can issue from an ACCESS_POLICY_AGENT_EVENT iRule event.

     

  • writemike's avatar
    writemike
    Icon for Nimbostratus rankNimbostratus
    Jul 05, 2014

    Thank you Kevin! So an HTTP AAA server can only manipulate the HTTP headers and nothing else? I used sideband for the e-mail test so I will just modify it for HTTPS. I was hoping to use something more built in.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 05, 2014

    An HTTP AAA is going to work with either a form GET/POST, Basic, or an NTML auth.

     

    An HTTP form GET puts the user:pass in the request query string. An HTTP form POST puts the user:pass in a POST payload. The Basic and NTLM methods encode the auth into an Authorization header. The AAA allows you to add additional headers and other custom values, but that's really the limit of the flexibility. To inject an entire SOAP message in a POST, you'd necessarily need the more manual sideband approach.

     

  • john_sergio_men's avatar
    john_sergio_men
    Icon for Nimbostratus rankNimbostratus
    Dec 27, 2019

    hello I have a configuration object in APM to authenticate http AAA, with  a webservice to send the token this serviced es type soap and I could not make it work is type of content xlm Anyone have any idea how to do this integration