F5 APM - Citrix StoreFront expire user credentials

I have taken this a bit further. What I am trying to do is to trigger the WEBSSO:disable event so that F5 stops providing the credentials using SSO to the backend StoreFront servers.

The original iRule is as follows:

when HTTP_REQUEST {
    set uri [HTTP::uri]
    set host [HTTP::host]
}
when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
    set citrix_logout 0
}
when ACCESS_ACL_ALLOWED {
    set type [ACCESS::session data get session.client.type]
    if { !(${type} starts_with "citrix") } {
        if { ${uri} == "/" } {
            log local0. "Redirecting to /Citrix/InternalWeb/"
            ACCESS::respond 302 Location "https://${host}/Citrix/InternalWeb/"
        }
    }
    if { ${uri} contains "Logoff" } {
        set citrix_logout 1
        set http_host ${host}
    }
}
when HTTP_RESPONSE {
    if { $citrix_logout eq 1 } {
        HTTP::redirect "https://$http_host/"
    }
}

Now back to trying to trigger the WEBSSO:disable event after the user gets logged on for the 1st time. My first thought was to try and do it when ACCESS_ACL_ALLOWED is triggered. So I tried the following mod:

when ACCESS_ACL_ALLOWED {
    set type [ACCESS::session data get session.client.type]
    if { !(${type} starts_with "citrix") } {
        if { ${uri} == "/" } {
            log local0. "Redirecting to /Citrix/InternalWeb/"
            ACCESS::respond 302 Location "https://${host}/Citrix/InternalWeb/"
        }
    }
    if { ${uri} contains "Logoff" } {
        WEBSSO:disable
        set citrix_logout 1
        set http_host ${host}
    }
}

That did nothing. So after X number of seconds when the Citrix StoreFront pop up message appears that the user is logged off and the user clicks on the LogOn button as a follow up, user gets authenticated without typing anything since the SSO is still very much active. 2nd attempt was to trigger the WEBSSO:disable after 15 seconds on the ACCESS_ACL_ALLOWED so that next time the user tries to log on, there is no WEBSSO. So I tried the following:

when ACCESS_ACL_ALLOWED {
    set type [ACCESS::session data get session.client.type]
    after 15000 {
        WEBSSO::disable
    }
    if { !(${type} starts_with "citrix") } {
        if { ${uri} == "/" } {
            log local0. "Redirecting to /Citrix/InternalWeb/"
            ACCESS::respond 302 Location "https://${host}/Citrix/InternalWeb/"
        }
    }
    if { ${uri} contains "Logoff" } {
        set citrix_logout 1
        set http_host ${host}
    }
}

Again, that failed since the user was able to log on without typing anything after the StoreFront timeout was triggered.

Since I had doubts of the WEBSSO:disable functionality I also tried as a test the following:

when ACCESS_ACL_ALLOWED {
    WEBSSO:disable
    set type [ACCESS::session data get session.client.type]
    if { !(${type} starts_with "citrix") } {
        if { ${uri} == "/" } {
            log local0. "Redirecting to /Citrix/InternalWeb/"
            ACCESS::respond 302 Location "https://${host}/Citrix/InternalWeb/"
        }
    }
    if { ${uri} contains "Logoff" } {
        set citrix_logout 1
        set http_host ${host}
    }
}

That works but it is not suitable for me because it kills SSO immediatelly on the 1st logon. So the user logs on to F5 APM and then user has to re-type credentials on StoreFront. That is not what I am after. The end goal is that the SSO is used on the 1st logon, but never again if Citrix StoreFront times out and presents the internal Citrix Log On screen.

Any help would be gratly appreciated.

Maybe you can do something within the HTTP_RESPONSE event. You could match some HTTP Headers (cookies) that are being set when the internal StoreFront server displays a login page. When matching you can delete the APM session and send a redirect to the original requested url. Then the APM login page will show, because the APM session is deleted.

Hi Niels

Thank you for your response. Unfortunately the WEBSSO:disable event is not available for using it on HTTP_RESPONSE so I guess even if I could match the http header I would not be able to call the WEBSSO:disable.

Maybe I don't understand you correctly, but I thought you don't want the user to see the StoreFront login screen ever. Just the F5 APM login page. Is that correct?

1st time a user logs on, should get the F5 APM logon page and if the user is allowed, the SSO will be used so that user gets logged on in Storefront without typing credentials for the 2nd time. So at the beginning the user should not see the logon screen from Citrix because of the SSO. That part works fine. But 15 mins later, Citrix Storefront will timeout. When that happens, the user gets a logon screen from Citrix, not F5 (the APM is still alive, we want it to be alive). The Citrix logon screen has a Logon button which is supposed to take the user to the next screen where he/she will have to type username and pass. But since my APM and SSO are still active, as soon as the user clicks on the logon button, they are logged on without typing anything. Tgat is my problem. I want the WEBSSO to be disabled as soon as the user logs in for the 1st time.

So you could also catch the StoreFront 'logon' button call in the HTTP_REQUEST event. If the APM session is still active and the StoreFront logon page is being retrieved, delete the APM session and redirect the user to the APM login page. I think that the WEBSSO command will not help you further.

Apologies, I am not explaining it properly I guess :)

I don't want to lose the APM session. It must remain alive. That's why the logon page after the 15 mins timeout is from Citrix and not F5. And that is why I am utilizing the Citrix inactivity timeout and not the APM one. I want the APM to stay alive.

It's just that after the timeout, when the user clicks on the Citrix logon button, the logon is automatic as the F5 is still using the SSO. So the user doesn't type username and pass. That's what I don't like. And that's why I want F5 to stop using the WEBSSO after the initial APM logon of the user.

I hope this is a bit more clear, apologies again.

Yes, now I think I understand it much better :-)

I think it's key to know that StoreFront is using Form Based authentication. So when StoreFront expires the session, and a user connects again using a existing and valid APM session it will set a new CtxsAuthId cookie. At this point the APM would need to do another Form Based login into StoreFront by reusing the known username and password from the existing and active APM session.

You are probably going to need some sideband or iRuleLX calls to get this working. The iRule should perform the Form Based SSO and make it transparent to the user.

Take a look at this example code I just addded.

https://devcentral.f5.com/codeshare/subsequent-form-based-sso-1167

Unfortunately I don't have a Citrix StoreFront infrastructure in my lab, but I've been testing with a similar website that is using Form Based authentication and sessions that expire a lot quicker than the APM policy. You probably have to tweak it a bit before it works in your setup.