Forum Discussion

kj07208_118528's avatar
kj07208_118528
Icon for Cirrus rankCirrus
Feb 26, 2014

Implementing a Form SSO through APM or IRules?

I have an application that I'm trying to do SSO with but they have a non-standard SSO implementation. First we have a URL on our side (someapp.mycompanydomain.com because we have to authenticate the url and the application does do redirects like SAML) you have to pass the application information in the http headers (did that!) and they will stream an html document back to you (F5) that will need to be sent back to the user. I was doing this using an APM with a form sso configuration the problem is I have to return the user the content that is sent from the service application.

 

User -> serviceapp.mycompanydomain.com (VIP on F5 with APM) serviceapp.mycompanydomain.com -> uses APM to authenicate user and look up information -> Form SSO -> Post to xyz.serviceapp.com xyz.serviceapp.com -> Responses with html document sent to F5 (this html document has to be sent to the user). All that being said which is the better route to go or take a hybriad half APM with an iRule? If the hybriad approach is used how do I handle the flow between APM and the iRule that would have to write back down to the cliient?

 

TIA

 

APM
application delivery
design
devops
iRules
security

1 Reply

Sort By
  • Rene_C_'s avatar
    Rene_C_
    Icon for Nimbostratus rankNimbostratus
    Feb 27, 2014

    I'm not sure if this does exactly what you need, but it would be a quick try: Did you ever check "Pass-Through" in your form-based SSO config? This should pass the requests and responses through to the client instead of having any processing just on the F5 - side. Though i'm not 100% sure if really everything is passed through to the client, you would need to quick-test it.

     

    Another way i could think of would be to do manual authentication in an iRule through a sidebanding request. Utilizing sidebanding, you could manually open the connection, do the form-post or whatever is needed, and just take the whole response-content and return it to the client.