APM Username header for back-end server authentication

Question

I am working on a puzzling issue with headers in APM.  The environment I am working in is currently running through a dying Tivoli Access Manager for authentication.  Many of the back-end servers were setup for header authentication, where the username is passed in a header value.&nbsp;
The issue I am having is replicating this functionality.  No matter which event I use for the HTTP::header insert.  It is not making it into the crucial message to the back-end server.&nbsp;
What does work is that in the SSO Forms-based authentication.  I can choose advance configuration and insert a header in the SSO configuration file that has the right name and a static username.  This will get passed appropriately to the back-end server and the user is authenticated.  This obviously isn't the dynamic solution I want as it only works for 1 user.  What I need is to insert a header with a value based on the session.logon.last.username variable that is sent with the SSO Form to the back-end server.  Any suggestions on how to do that would be much appreciated.&nbsp;

amass87_221296 · Answer

Not to answer my own question, but I am about to test using a variable in the form.  The article says it only applies to certain versions in 11.x code, but here goes.&nbsp;
https://support.f5.com/csp/article/K13751&nbsp;
%{session.sso.token.username}&nbsp;

niels_van_sluis · Answer

This works for me:
when HTTP_REQUEST {
    if { [ACCESS::session exists -state_allow -sid [HTTP::cookie MRHSession] ] } {
        HTTP::header insert X-Username [ACCESS::session data get session.logon.last.username]
    }
}

amass87_221296 · Answer

Awesome, I might try that.  This solution article actually worked, so I am very relieved.
https://support.f5.com/csp/article/K13751&nbsp;

boneyard · Answer

i have been able to use variables like %{session.sso.token.username} fine through several versions up to and including 12.x&nbsp;

wick54 · Answer

Hi amass87 221296,&nbsp;I'm new to F5 and I have ran in to the same problem as you are, we are in process of replacing IBM TFIM solution and trying to replicate the HTTP::Header insert function on F5.&nbsp;I've created a form based SSO object as described in this article and wondering how this get added in to APM Policy.&nbsp;I have created a basic APM policy and associcated this SSO object with it. &nbsp;However this still doesn't work as expected. are you able to share working configuration please?

Forum Discussion

APM Username header for back-end server authentication

5 Replies

Recent Discussions

Stable Firmware for F5

F5 VE in Azure - troubles with Sentinel integration

Need help on i-rule to specific uri path

BigIP Next - Health Monitors / Template

LDAPS and renegotiation

Related Content

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

Stop Wappalyzer from detecting my back end server technologies

Doing mTLS Authentication per URL

iControl REST Authentication Token Management

Distributed caching of authentication requests with NGINX Ingress Controller