Change which SSO you use based on if your device is mobile or not.

Question

Hey Everyone,&nbsp;I have Virtual server with an access policy where i need to switch the SSO based on what kind of device you are using. Both SSO is "Forms - Client initiated". I created product_mobile_sso and product_tablet_sso sso configurations.&nbsp;Here is the irule i currently have on it to sort the traffic based on user-agent header info:&nbsp;when HTTP_REQUEST {
    if { (([string tolower [HTTP::header "User-Agent"]] contains "iphone") &amp;&amp; ([string tolower [HTTP::uri]] equals "/"))} {
      log local0. "Redirecting by iphone detection"
      HTTP::respond 302 location "https://www.company.com/mobilepage.aspx" 
    } elseif { [string tolower [HTTP::uri]] equals "/" } {
      log local0. "Redirecting without iphone detection"
      HTTP::respond 302 location "https://www.company.com/tabletpage.aspx"
  }
}I tried adding WEBSSO the following code:&nbsp;when HTTP_REQUEST {
    if { (([string tolower [HTTP::header "User-Agent"]] contains "iphone") &amp;&amp; ([string tolower [HTTP::uri]] equals "/"))} {
      log local0. "Redirecting by iphone detection"
      HTTP::respond 302 location "https://www.company.com/mobilepage.aspx" 
    } elseif { [string tolower [HTTP::uri]] equals "/" } {
      WEBSSO:select product_tablet_sso
      log local0. "Redirecting without iphone detection"
      HTTP::respond 302 location "https://www.company.com/tabletpage.aspx"
  }
}but i get the following error. "Unable to find ss_config (product_tablet_sso) referenced at line 9: [WEBSSO::select product_tablet_sso]". Just wondering if someone has some advice to give. Thanks in advance!&nbsp;

rosieodonell_16 · Answer

So i tried this code:

when HTTP_REQUEST {
    if { (([string tolower [HTTP::header "User-Agent"]] contains "iphone") &amp;&amp; ([string tolower [HTTP::uri]] equals "/"))} {
      log local0. "Redirecting by iphone detection"
      HTTP::respond 302 location "https://www.company.com/mobilepage.aspx" 
    } elseif { [string tolower [HTTP::uri]] equals "/" } {
   set sso_config /Common/product_tablet_sso      
   WEBSSO:select $sso_config
   unset sso_config
   log local0. "Redirecting without iphone detection"
      HTTP::respond 302 location "https://www.company.com/tabletpage.aspx"
  }
}

I don't get the error anymore but the sso doesn't work either. Still looking for assistance!

lucas_thompson_ · Answer

Set your Access Profile to debug (v12) or Access to debug (v11) and look for "websso" in /var/log/apm. All of the logs are there.&nbsp;
WEBSSO::select needs the WEBSSO object name to work, these are usually something like '/Common/myssoconfig'. Client initiated SSO is kind of complicated to troubleshoot. APM Forms Client initiated SSO (aka SSOv2 aka form-basedv2) has two conditions to operate successfully in a default configuration:&nbsp;

"Form Detection": The client's request-URI must match the one configured
In logging, this is called "Request match". In the GUI, this is called "Form Detection". In TMSH, this is called "request-value".&nbsp;

"Form Identification": The HTML of the page must match the input values configured
In logging, this is called "Form detected". In the GUI, this is called "Form Identification".&nbsp;

Some forms don't work right with Client-Initiated SSO's default injected javascript. The two most common cases are when clientside encryption functions are called so that the POST data is not sent plainly, and also when some kind of onSubmit function is called when the form is submitted, or when the Submit button has an "onclick" event. In these cases, the so the JS must be modified to suit the particular page.&nbsp;
So before you worry about selecting the SSO with this irule (don't try to troubleshoot two things at once!), verify that the config works at all by setting it as the default WEBSSO type for your access profile. &nbsp;

rosieodonell_16 · Answer

I have tested both sso profiles and they work fine. So now I just need to use the right one when needed. Is there a way to call the websso function from an ievent in the access policy vpe?

lucas_thompson_ · Answer

No, irule events from VPE run in the context of the connection between TMM and the APM HTTP server that serves up the end-user pages (my.policy), so they're not involved here. Additionally, the Policy Items in the VPE only run one time at login, while the user is logging in.
To do a very simple test, just use the APM events and try something like:
when ACCESS_ACL_ALLOWED {
  if { [string tolower [ACCESS::session data get 'session.user.agent']] contains 'iphone'  } { 
    log local0. "setting websso because iphone"
    WEBSSO::select '/Common/'
  } else {
    log local0. "not setting websso"
  }
}

Make sure to use the full name of the config object, like "/Common/whatever".

walter_kacynski · Answer

Try adding your SSO logic to the ACCESS_ACL_ALLOWED event type.  This is were I have my SSO logic and it works great.&nbsp;

Forum Discussion

Change which SSO you use based on if your device is mobile or not.

5 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

VLAN Failsafe failover settings change on STANDBY device - affect ACTIVE device?

Device Management

What to Expect in 2017: Mobile Device Security

Change admin account

Q. The Safest Mobile Device? A. Depends