Form Based SSO for Dynamically built HTTP forms
Problem this snippet solves:
This snippet solves a challenge where Client Initiated Form Based SSO is required but you have no available trigger that you can configure to allow APM to detect the form.
This is typically something you can face when you try to configure SSO Forms for some version of the Citrix Storefront Web UI. when digging in the html and javascript, you can see that a single Javascript build the HTML content and thus the forms, so no ways to detect the form when data are in transit.
How to use this snippet:
You have to install a single irule on the Virtual Server protecting the web application. This irule use ACCESS commands so assuming you have APM and an access profile is attached to the Virtual Server.
Code :
when HTTP_REQUEST { if { [ACCESS::policy result] eq "allow" } { if { [HTTP::path] ends_with “/Citrix/Company/ExplicitAuth/LoginAttempt" and [HTTP::method] eq "POST" } { HTTP::collect [HTTP::header Content-Length] } if { [HTTP::path] ends_with "/Citrix/Company/" } { set var 1 } } } when HTTP_REQUEST_DATA { set payload [HTTP::payload] set newpayload [string map [list "f5-sso-token" "[ACCESS::session data get -secure session.sso.token.last.password]"] $payload] HTTP::payload replace 0 [string length $payload] $newpayload } when HTTP_RESPONSE { if { [info exists var] and $var } { HTTP::collect [HTTP::header values "Content-Length"] } } when HTTP_RESPONSE_DATA { set payload [HTTP::payload] set username [ACCESS::session data get session.sso.token.last.username] set password "f5-sso-token" set sso "" ### This code requires JQuery. Uncomment those lines if you need to load the library # # set jquery "" # set newpayload [string map [list "" $jquery] $payload] # ### END set newpayload [string map [list "" $sso] $payload] HTTP::payload replace 0 [string length $payload] $newpayload }
Tested this on version:
11.5