Forum Discussion

phl110_191286's avatar
phl110_191286
Icon for Nimbostratus rankNimbostratus
May 05, 2016
Solved

ACCESS_Policy_Agent_Event Remove Session

We have our exchange 2013 environment proxied behind APM via iapp configs. For browser authentication (through OWA and ECP) we have them both going to the same SAML IDP for authentication. However, ...
application delivery
BIG-IP Access Policy Manager (APM)
exchange 2013
iRules
security
  • Graham_Alderson's avatar
    Graham_Alderson
    May 06, 2016

    Your solution won't work with a VPE iRule agent because the Landing URI object is not called for subsequent requests. The access policy only runs once when the user first authenticates. Thus you need to do it in a per-request policy that runs every time or in an iRule not dependent on the VPE agent (i.e.: HTTP_REQUEST or ACCESS_ACL_ALLOWED event).

    As noted above by Seth, 12.1 will have step-up authentication capabilities within per-request policies. This is considered an early access feature. I don't believe it enables SAML Auth for stepup use cases yet though, so you'd need to do the MFA using a simple RADIUS event (not RADIUS challenge, support to come later). The benefit of using this approach instead of SAML Auth redirect is the user won't have to enter username/password again at the IdP.

    In the meantime or if that does not work for you, this iRule should solve your problem. You should remove the VPE iRule agent event you have now. You should also add a variable assign object after your successful MFA SAML auth that sets the session variable session.custom.mfa (used in the iRule) to 1. I suggest that on your VPE Landing URI object you click "change" on the /ecp URI, go to advanced mode, and change from == to starts_with so that it will capture anything starting with /ecp.

    when ACCESS_ACL_ALLOWED {
    if { [HTTP::uri] starts_with "/ecp" } {
        if { [ACCESS::session data get session.custom.mfa] != 1 } {
            ACCESS::session remove
            ACCESS::respond 301 Location "[HTTP::uri]"
        }
    }
}
Graham_Alderson's avatar
Graham_Alderson
Historic F5 Account
May 06, 2016

Your solution won't work with a VPE iRule agent because the Landing URI object is not called for subsequent requests. The access policy only runs once when the user first authenticates. Thus you need to do it in a per-request policy that runs every time or in an iRule not dependent on the VPE agent (i.e.: HTTP_REQUEST or ACCESS_ACL_ALLOWED event).

As noted above by Seth, 12.1 will have step-up authentication capabilities within per-request policies. This is considered an early access feature. I don't believe it enables SAML Auth for stepup use cases yet though, so you'd need to do the MFA using a simple RADIUS event (not RADIUS challenge, support to come later). The benefit of using this approach instead of SAML Auth redirect is the user won't have to enter username/password again at the IdP.

In the meantime or if that does not work for you, this iRule should solve your problem. You should remove the VPE iRule agent event you have now. You should also add a variable assign object after your successful MFA SAML auth that sets the session variable session.custom.mfa (used in the iRule) to 1. I suggest that on your VPE Landing URI object you click "change" on the /ecp URI, go to advanced mode, and change from == to starts_with so that it will capture anything starting with /ecp.

when ACCESS_ACL_ALLOWED {
    if { [HTTP::uri] starts_with "/ecp" } {
        if { [ACCESS::session data get session.custom.mfa] != 1 } {
            ACCESS::session remove
            ACCESS::respond 301 Location "[HTTP::uri]"
        }
    }
}
  • phl110_191286's avatar
    phl110_191286
    Icon for Nimbostratus rankNimbostratus
    May 06, 2016
    This is exactly what I was looking for. It works perfectly! Thank you so much Graham!