Forum Discussion

Marvin_129795's avatar
Marvin_129795
Icon for Nimbostratus rankNimbostratus
Dec 13, 2016
Solved

F5 APM retrieve AD groups and resend using HTTP POST parameter

Dear all,

 

I am looking at a particular situation where an internal web server needs to know what kind of AD membership groups are assigned to a user that tries to login. The authentication only takes place on the F5 APM and NOT on the internal server. The internal server only needs to verify AD group membership, but may not communicate to AD.

 

The idea is to:

 

  1. Create a login page using APM
  2. authenticate using username and password to AD
  3. Retrieve the AD group membership
  4. Include a POST parameter with these AD group membership information and send it to the internal webserver

Somebody already had a similar situation before?

 

ad
ad authentication
APM
application delivery
parameter
post
security
  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Dec 13, 2016

    Yes this is fairly simple. Use LTM+APM mode, and AD Query / AD Auth in your Access Policy. Set the "start uri" parameter to your backend app's URI, and use forms-based SSO (server-initiated) to fill in the resultant session variables from your AD Query into your form parameter. The groups will be in the form of a pipe-delimited list of the group DNs that came back from the query.

     

14 Replies

Sort By
  • Dan_73594's avatar
    Dan_73594
    Historic F5 Account
    Dec 13, 2016

    Hi Marvin,

     

    Is this to say the first request to the backend server must be a POST, and that POST must contain AD group membership?

     

    Dan

     

  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    Dec 13, 2016

    Yes this is fairly simple. Use LTM+APM mode, and AD Query / AD Auth in your Access Policy. Set the "start uri" parameter to your backend app's URI, and use forms-based SSO (server-initiated) to fill in the resultant session variables from your AD Query into your form parameter. The groups will be in the form of a pipe-delimited list of the group DNs that came back from the query.

     

    • Marvin's avatar
      Marvin
      Icon for Cirrocumulus rankCirrocumulus
      Dec 13, 2016

      Hi Lucas, Yes I was exactly thinking about that scenario, but wanted to verify the point 4. Do you have an example on how to configure the forms-based SSO? Should I use the form action to include the session variable with the AD groups? Where am I able to define the parameter used for this purpose?

       

    • Marvin's avatar
      Marvin
      Icon for Cirrocumulus rankCirrocumulus
      Dec 13, 2016

      Ahh ok just like an hidden form great!! Thats why I love devcentral :-), thanks!!

       

    • Marvin's avatar
      Marvin
      Icon for Cirrocumulus rankCirrocumulus
      Dec 28, 2016

      Hi Lucas, I am working on this configuration, authentication works fine, also F5 APM receives AD group information. I configured SSO form profile similar to your example. In the APM log I see that policy result is allow, however I don´t see any HTTP POST being send by the SSO form funcionality.

       

      I have properly applied the SSO profile to the Access policy. Do you have any idea how to find the cause?