Forum Discussion

John_T__Morgan_'s avatar
John_T__Morgan_
Icon for Nimbostratus rankNimbostratus
Mar 29, 2015

Preserving Session Variables after a redirect

Hi All,

 

I have a LAB BIG-IP (11.6) set up which has the following: 2 Virtual servers, 2 access policies.

 

The BIG-IP is being used as a perimeter device and allows external access to our network. Both my virtual servers have externally accessible IP addresses.

 

One of the virtual servers is used to load balance and front-end a Citrix farm. This works great as long as we log in to the virtual server directly. Users are directed to the Citrix Web Interface server, and are presented with their applications and everything works the way it should, SSO works, applications launch, everything is great.

 

The problem is that I would like to not have the requirement for people to log directly into the virtual server for Citrix. We have a primary external facing interface and we just want people to log into that, and then get redirected to the Citrix Virtual server if they are in certain AD groups or if their machines fail certain client configuration checks. The idea here is to hand out one external url to all our users and then have them be redirected based on AD queries and machine checks.

 

My main access policy (tied to the preffered external facing Virtual Server) does an "allow and redirect" if a person is in a particular AD Group or meets other requirements. This works fine and passes the user directly to the Citrix virtual server if the results of the queries and client checks warrant that they only be allowed Citrix (as opposed to full VPN access).

 

My problem is that once I do the redirect, all the session variables from the initial logon are lost and the users need to re-authenticate either on the Citrix virtual server, or at the Web Interface. We don’t want this to happen; we are trying to keep SSO working.

 

I have tried simply doing an RDP resource for the Citrix users, but it is fairly awkward and doesn’t seem to work very well.

 

So (after all that) here’s my questions:

 

  1. Is there any way to keep session variables such as “Session.Logon.Last.Username” and “session.logon.last.password” active after a re-direct ?

     

  2. If that’s not possible, is there a way to create custom variables containing the values of the “Session.Logon.Last.Username” and “session.logon.last.password” variables and have those custom variables persist after the redirect?

     

Thanks in advance for reading this and attempting to answer.

 

Also, if you need to see my access policies or any other configurations of my lab config I’ll post them here on request.

 

-John

 

APM
citrix
design
security

5 Replies

Sort By
  • Nobby_67786's avatar
    Nobby_67786
    Icon for Nimbostratus rankNimbostratus
    Mar 29, 2015

    Hi John,

     

    The best way to do this would be to setup SAML federation between your VIPs & Access Policies. Configure your primary access policy to act as an IDP and all your others to be SP's. If you've got variables you capture like (username & password) you can pass them as attributes in the SAML payload. The great thing about that solution is that your VIPs don't even need to be on the same device so if you needed to scale or distribute services your authentication architecture will already support it.

     

    Hope this helps point you in the right direction.

     

    • Nobby
    • John_T__Morgan_'s avatar
      John_T__Morgan_
      Icon for Nimbostratus rankNimbostratus
      Mar 30, 2015
      Hi Nobby, Would I still need to do an "Allow and Redirect" or would there be a beter method than that? -John
    • Nobby_67786's avatar
      Nobby_67786
      Icon for Nimbostratus rankNimbostratus
      Mar 31, 2015
      So you have several options. - If the user you're authenticating only has access to one app/service (which you might determine via AD groups for example) then you could have an ending Redirect action and send them just to that service. The act of redirecting the user to the app would then generate an SP initiated SAML transaction which would actually redirect the user back to the first VIP (to get the SAML assertion) and as the user is already authenticated, APM would just hand them the assertion and direct them back to the app. - You also have the option to present the user a webtop with links to apps they have access too. In this scenario the links can include SAML resources for which APM can generate an IDP initiated assertion (no bouncing around between VIPs). Either way works, and the extra redirects aren't so noticeable unless you've got massively latent links (like satellite). I'm based in Australia and the ~200ms from here to Seattle where lots of my APM sessions terminated didn't cause any significant delays even for SP initiated sessions.
  • John_T__Morgan_'s avatar
    John_T__Morgan_
    Icon for Nimbostratus rankNimbostratus
    Mar 29, 2015

    Thank you.

     

    That sounds like an excellent solution.

     

    Now I just have to familiarize myself with saml. :-)

     

    I'll try tomorrow and report back.

     

    -John