Authentication using a REST WebService

You can use HTTP::retry to make a new HTTP request. Deb posted a helpful article on this a while back:

 

 

Conditioning iRule Logic on External Information - 1 - HTTP::retry

 

http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=105

 

 

Also, if you're trying to append the output from a command to a string, you should include the command inside the double quotes:

 

 

HTTP::respond 302 Location "https://opensso.server.com/opensso/UI/Login?goto=[URI::encode [HTTP::uri]]"

 

 

Aaron

Thanks! This looks like it should work just fine. Also, thanks for the tip on the strings as well. My TCL is more than rusty!

 

 

 

Shaun

I have this implemented, and its "starting" to work except that I am constantly getting LB_FAILED. I'm hoping someone can point me to some obvious things to check. Below is the relevant bit of the iRule

 

 

when HTTP_REQUEST {

 

log local0.debug "PolicyAgent: HTTP_REQUEST [HTTP::cookie count]"

 

if {$validate eq 0} {

 

log local0.debug "PolicyAgent: already validated"

 

pool pool_dev_supportportal

 

} elseif {[HTTP::cookie exists $ckname]} {

 

log local0.debug "PolicyAgent: contains cookie"

 

if client hasn't already been validated, save the

 

request so we can replay it to the LB server later;

 

set LB_request [HTTP::request]

 

 

inject lookup URI in place of original request;

 

HTTP::uri "/opensso/identity/isTokenValid?tokenid=[HTTP::cookie value $ckname]"

 

log local0.debug "PolicyAgent: URI: [HTTP::uri]"

 

 

and send the out-of-band validation query to the OpenSSO_pool.

 

pool OpenSSO

 

} else {

 

log local0.debug "PolicyAgent: redirect to LoginUI"

 

 

this request doesnt even have a token to validate, so we need to redirect the the Login UI

 

HTTP::respond 302 Location "http://server.com:8080/da/UI/Login?goto=[URI::encode "http://[HTTP::host][HTTP::uri]"]"

 

}

 

}

 

 

when LB_FAILED {

 

log local0.debug "PolicyAgent: LB failed for [LB::server] [LB::status]"

 

}

 

 

 

/var/log/ltm:

 

 

Nov 11 10:59:46 local/tmm debug tmm[2392]: Rule OpenSSO_Agent : PolicyAgent: HTTP_REQUEST 2

 

Nov 11 10:59:46 local/tmm debug tmm[2392]: Rule OpenSSO_Agent : PolicyAgent: redirect to LoginUI

 

Nov 11 10:59:52 local/tmm debug tmm[2392]: Rule OpenSSO_Agent : PolicyAgent: HTTP_REQUEST 3

 

Nov 11 10:59:52 local/tmm debug tmm[2392]: Rule OpenSSO_Agent : PolicyAgent: contains cookie

 

Nov 11 10:59:52 local/tmm debug tmm[2392]: Rule OpenSSO_Agent : PolicyAgent: URI: /opensso/identity/isTokenValid?tokenid="AQIC5wM2LY4SfcyJdxjZhvz0JwE+tUTi411T4JVDyeKyuFU=@AAJTSQACMDE="

 

Nov 11 11:00:05 local/tmm debug tmm[2392]: Rule OpenSSO_Agent : PolicyAgent: LB failed for OpenSSO 172.24.16.45 8080 up

 

Nov 11 11:00:05 local/tmm debug tmm[2392]: Rule OpenSSO_Agent : PolicyAgent: HTTP_REQUEST 3

 

Nov 11 11:00:05 local/tmm debug tmm[2392]: Rule OpenSSO_Agent : PolicyAgent: contains cookie

 

Nov 11 11:00:05 local/tmm debug tmm[2392]: Rule OpenSSO_Agent : PolicyAgent: URI: /opensso/identity/isTokenValid?tokenid="AQIC5wM2LY4SfcyJdxjZhvz0JwE+tUTi411T4JVDyeKyuFU=@AAJTSQACMDE="

 

Nov 11 11:00:17 local/tmm debug tmm[2392]: Rule OpenSSO_Agent : PolicyAgent: LB failed for OpenSSO 172.24.16.45 8080 up

 

 

 

 

The bit that is failing is the "pool OpenSSO". Everything in that pool is marked as up, i am able to ping the pool members from the BIG-IP, and the LB::status indicates that everything is up. What else should I be checking to determine why I would receive LB_FAILED?

 

 

As a test, you could try removing the iRule from the VIP and configuring the OpenSSO pool as the VIP's default pool. Once the load balancing to the OpenSSO pool is working, you could start testing the iRule again. If the OpenSSO pool members don't have LTM as their default gateway you would want to enable SNAT on the VIP to ensure the responses come back to LTM.

 

 

Aaron

Thanks Aaron. That is exactly what we did last week and found out we had forgotten to assign an SNAT pool. Once that was done, things were working smoothly. Once I get everything working I will post the final iRule so that anyone else wanting to authenticate traffic against OpenSSO can use it.

Sounds good.

 

 

Thanks,

 

Aaron

For anyone that is interested, I have posted my current version of the "F5 BIG-IP Policy Agent" at http://devcentral.f5.com/wiki/default.aspx/iRules/OpenSSO_authentication.html. It merely ensures that incoming HTTP traffic has been authenticated against the OpenSSO server before passing the request on.

 

 

If you find any bugs or know how to optimize it, I would love to hear about it.

That's a nice addition. Thanks for posting it.

 

 

Aaron