APM - Delete SSO credentials after login

Question

Hello everybody,&nbsp;
I couldn't find any solution on my issue so far, so I try my luck here.&nbsp;
We use APM to access a SAP Portal. To realize SSO with the F5 and the SAP Portal login side, our One-Time-Password is made valid for 5 sec. After you have logged in to the F5 (Radius Auth.), username + password are forwarded to the SAP Portal with SSO credential mapping. This makes the OTP to a two-time-password. Not the nicest thing, but it works. From now on, I have a valid session  on the F5 with the OTP is stored in the credential mapping, and I have a separate session on the SAP Portal with a session cookie.&nbsp;
Behind the SAP Portal are various Systems like Lotus iNotes, a CRM and various other SAP Systems (ERP, BW, PI, etc.). All those systems work fine as they use named user accounts, based on the SAP Portal session Cookie. Except for the business warehouse System. We do have appr. 1200 named users in the SAP Portal, but a user/licence limit of about 200 in the BW system! That's why the programmers have decided to use a general/anonymous service user to display statistics, analysis, etc., and directly coded the user into the HTTP request towards the BW system. Ugly, I know.&nbsp;
Both, the SAP Portal and the BW System are based on the JAVA stack of SAP and use the fieldnames "j_user" and "j_password" at the loginpage.&nbsp;
But, the F5 SSO seems to be faster then the posted service user and password in the URL. She uses the username and OTP from the initial login, because the fieldnames from the BW are the same: j_user and j_password! If I remove the SSO from APM, so I have to Login to the F5 APM and the SAP Portal separately, the BW application later on works fine.&nbsp;
Sorry for the long explanations, but this leads me to my questions. Is it somehow possible to delete the cached SSO credentials after the APM has passed Login Page -&gt; Radius Auth. -&gt; SSO Credential Mapping -&gt; Webtop and Links Assign? &nbsp;
I know that the F5 works correctly here, but perhaps there's somehow a chance to have a workaround in place with F5 until the application issue is solved?!&nbsp;
Many thanks in advance
Lars&nbsp;

josiah_39459 · Accepted Answer

Is the BW app a pool or a weblink or what?  If SSO is being applied that means the request must be passing through the F5, so on whatever vip gets the request, check the HTTP_REQUEST event [HTTP::uri] and apply SSO::disable accordingly.
e.g.
when HTTP_REQUEST {
  if { [HTTP::uri] starts_with '/blahblahblah' } {
    WEBSSO::disable
  }
}

or
   when ACCESS_ACL_ALLOWED {
      if { [HTTP::uri] starts_with '/blahblahblah' } {
        WEBSSO::disable
      }
    }

similar depending on your app and f5 config

larss__178188 · Answer

The BW System is not a pool. The SAP Portal only delivers a framework and forwards URI links to the Client. The Client himself is responsible for calling those embedded applications like the BW. In this case, the F5 as a reverse proxy is responsible for calling them and inserts the credentials from the SSO credential mapping.

I didn't work much with iRules so far, so I didn't know the SSO::disable Option. I'll check it out and come back to it afterwards.

Many thanks for this hint!
Lars

walter_kacynsk1 · Answer

The proper command name is WEBSSO::disable  -- https://clouddocs.f5.com/api/irules/WEBSSO__disable.html

walter_kacynski · Answer

There are many ways to accomplish this.  Here is a method that I have used to hardcode static accounts.  The downside to this approach is that the password would be coded in plain text in the big-ip configuration.  Depending on your setup this may or may not be a problem.  I chose not to use the HTTP Basic Auth SSO object since it requires more coordination and the task can be solved with a single iRule.
when ACCESS_POLICY_COMPLETED {
    switch [ACCESS::session data get "session.policy.result"] {
        "allow" {
             Setup BW SSO Object with a custom session variable that stores the base64 encoded version of username:password
            ACCESS::session data set -secure session.custom.sso.bwAuth [b64encode StaticUsername:StaticPassword] 
        }
    }
}

when ACCESS_ACL_ALLOWED {
    switch -glob [HTTP::uri] {
        "/bw*" {
             Insert the pre-constructed Basic Auth header for this URL
            HTTP::header replace "Authorization" "Basic [ACCESS::session data get -secure session.custom.sso.bwAuth]"
        }
    }
}

josiah_39459 · Answer

Thanks!  fixed

larss__178188 · Answer

Due to the hint by Josiah and the wiki artical, I've created the following iRule, which works fine in our enviroment:

when ACCESS_ACL_ALLOWED {
if { [HTTP::uri] contains "/irj/servlet/prt/portal/prtroot/com.sap.ip.bi.web.portal.integration.launcher;" } {
   log local0. "Disabling SSO for this request: [HTTP::uri]"
    WEBSSO::disable
  }
}

The iRule for the hard coded users looks nice as well, but we want to remove these kind of request completely and switch to a different architecture.

Many thanks for your help

Forum Discussion

APM - Delete SSO credentials after login

6 Replies

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

OWASP Automated Threats - Credential Stuffing (OAT-008)

Deleting an AS3 Tenant

Leaked Credential Check with Advanced WAF

Delete VS

Creating a Credential in F5 Distributed Cloud for Azure