Forum Discussion

vineyard_166933's avatar
vineyard_166933
Icon for Nimbostratus rankNimbostratus
Feb 10, 2017

Make client use the same webserver our landing page got when requesting authentication token

Hi

 

We have a lets call it landing page (LP) for external users. They use it to find resources. It's a single server and have no LB at the moment.

 

A user can use the LP and SSO will preauthenticate with a JSON auth token to a remote load balanced service. When user clicks the link for that service it's only preauthenticated if hitting the same LB server LP got the auth token from.

 

So trying to find the best solution on how it can always hit the server its authenticated on.

 

So far we added the lb::server_iaddress to header in http_response so LP will know the server it got the token from.

 

So where to go from here, maybe LP can give user different link based on the added header, then F5 can make a decision based on the URL + clean up the URL. This would require different persistence and load balancing method for LP (no/round robin) and for clients (cookie/least connections).

 

But I also feels like there might be some builtin feature that simplifies this?

 

3 Replies

  • Hi vineyard,

     

    is the traffic flow like this?

     

    1. User diectly accesses the application
    2. LTM will balance to a application server
    3. Application server redirect to landing page and passing a auth token
    4. User is authenticated and gets a redirect back to the application with another auth token

    If not, then please explain the detailed traffic flow step-by-step.

     

    Cheers, Kai

     

  • So there is 2 authentications and 2 applications, landing page is one and remote service is another. These are purchased solutions but this is my current understanding of the SSO.

     

    1. user authenticates on landing page, connecting from client IP to landing page (not loadbalanced)
    2. landing page reuses login to get authentication token from remote service, connecting from LP to remote service (load balanced)
    3. when user wants to use the remote service sometime later the token is used for SSO to remote service, connecting from Client IP to remote service (load balanced)
  • Attaching what we ended up doing with the F5 configuration for the remote service.

    when HTTP_REQUEST {
      if { [class match [IP::client_addr] equals LP_IP]  } {
        pool RemoteApp
        persist none
      }
      else {
        if { [string tolower [HTTP::uri]] ends_with "/s_a" } {
          set uri [string map -nocase {"/s_a" ""} [HTTP::uri]]
          HTTP::uri $uri 
          pool RemoteApp member 99.99.99.98 80
        }
        elseif { [string tolower [HTTP::uri]] ends_with "/s_b" } {
          set uri [string map -nocase {"/s_b" ""} [HTTP::uri]]
          HTTP::uri $uri 
          pool RemoteApp member 99.99.99.99 80
        }        
        else { 
          pool RemoteApp 
    
        }
      }
    }
    
    when HTTP_RESPONSE {
      if { [class match [IP::client_addr] equals LP_IP ]  } {
        HTTP::header insert VIA [LB::server addr]
      }
    }