Forum Discussion

navgup_66025's avatar
navgup_66025
Icon for Nimbostratus rankNimbostratus
Aug 06, 2013

authenticate and then redirect

Would like to know if it is possible when a user goes to bookmarked url, he is authenticated via irule to the authentication url and then redirected back (seemlessly) to the bookmarked url

 

User Bookmarked url : http://app1.usn.com/test/pol/nite.asp

 

authentication url : http://app1.usn.com

 

 

1) User selects bookmarked url >> this will be rejected by the server for the first time

 

2) F5 evaluates a non-auth (or just the url string) and fwd the request to authentication url

 

3) authentication url authenticates the user (through kerb token/session cookie), then redirects to user selected url.

 

 

Is it possible? If yes, please guide.

 

 

thanks,

 

 

 

 

application delivery
dev
devops
iRules

2 Replies

Sort By
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Aug 06, 2013
    yes, i think it is possible. George has written reCAPTCHA article below but not sure if it is useful for you.

     

     

    Google reCAPTCHA Verification With Sideband Connections by George Watkins

     

    https://devcentral.f5.com/tech-tips/articles/google-recaptcha-verification-with-sideband-connections.UgB_BW0-ZQI
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Aug 06, 2013
    Could be wrong, but not sure reCAPTCHA fits the described scenario. There are actually a few options:

     

     

    1. APM multi-domain authentication - you mentioned a "kerb token", so not sure if the Access Policy Manager module is an option for you. If it is, there's a native SSO mechanism for that. It essentially requires TWO virtual servers: the application VIP and the logon VIP. The user makes a request at the application VIP, is immediately redirected to the logon VIP for authentication, and then gets sent back to the application VIP after successful logon.

     

     

    2. APM SAML - another APM option that requires TWO virtual servers. This one is a little more complex than the first, but WAY cooler because the IdP (identity provider - logon VIP) doesn't have to be on the same hardware and can be on any SAML 2.0 compliant product (not just another APM).

     

     

    3. iRules - I assume you posted in this particular forum because you were looking for an iRules-based solution, and it is possible, but far more laborious than the first two options. You would essentially need: a) a controlled logon page and an authentication method, b) an iRule-driven session token, and c) the logic required to redirect to/from the logon page based on the presence of the session token.