How to use APM external logon pages?

Question

Hi,
I need to authenticate users accessing to my web application. To do that i'm using an authentication profile with the built-in logon page (linked with a radius server). It's working perfectly.
But for design purposes, i need to use an authentication form specilly designed for my web application (css, fonts, ...). I can't do that with the built-in logon page. So i would use an external logon page to do that (just to externalizing the html form, but not for externalizing the authentication process which must be managed by the F5 APM).
I read documentation about external logon pages ( http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-config-11-4-0/apm_config_general_actions.html195539 ) but it's not very clear for me.
Can you give me some exemples of external logon pages implementation? Does i need to add an irules to capture and pass variables (user and password) to the F5 APM anthentication process? (because my external form will just present the html form, but will not do the authentication).
Thank you for your help.
Vincent&nbsp;

kmurphy_130520 · Answer

How would this solution differ if the backend server (http://logon.acme.com/ in this case) was the one performing the authentication and not the F5?&nbsp;
Is there a way for APM to still capture the username that was entered on the external logon page?&nbsp;

kmurphy_130520 · Answer

Any ideas on this? Thanks&nbsp;

mark_van_d · Answer

As long as after a successful authentication the backend server posts the username back to my.policy it should work.  If you need to capture anything other than username/password you will need to use an irule and use: ACCESS::restrict_irule_events disable.&nbsp;
Out of curiosity what are you trying to do?&nbsp;

kmurphy_130520 · Answer

I'm trying to capture the username inputted on a backend login page and store it in an APM session. I don't have the ability to change the POST action on the web application, so it can't be posted directly back to my.policy.&nbsp;
I'm currently trying to achieve this with an iRule but no luck yet...&nbsp;

kmurphy_130520 · Answer

To anyone else looking to achieve this, I was able to do it using an iRule provided by an F5 resource:&nbsp;
start of irule
when RULE_INIT {
 must recognize attempts to login to application (e.g., CareLink)
 set static::login_action "/EpicCareLink/common/epic_check.asp"
 set static::uid_field "Account_ID"
}&nbsp;
when HTTP_REQUEST {
 set savecreds false
 if {([HTTP::uri] eq $static::login_action) &amp;&amp; ([HTTP::method] eq "POST")} {
  client is attempting application login, so we will save the username
  set savecreds true
  set uid ""
  set clen [HTTP::header Content-Length]
  set clen [expr {(($clen eq "") || ($clen &gt; 10240)) ? 10240 : $clen}]
  if {$clen &gt; 0} { HTTP::collect $clen }
  return
 }
}&nbsp;
when HTTP_REQUEST_DATA {
 foreach field [split [HTTP::payload] "&amp;"] {
  foreach {n v} [split $field "="] {
   if {$n eq $static::uid_field} { set uid [URI::decode $v] }
  }
   if {$uid ne ""} { break }
 }
 HTTP::release
}&nbsp;
when ACCESS_ACL_ALLOWED {
  if { $savecreds } {
    ACCESS::session data set session.custom.carelinkusername $uid
     }
}&nbsp;
end of irule

Forum Discussion

How to use APM external logon pages?

8 Replies

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

F5 Access Policy Auto submit logon page

BIG-IP APM - Customized Logon Page

F5 External Logon Page

Custom APM Logon page Access policy evaluation is already in progress for your current session

CSV to Address External Datagroup File