Forum Discussion

kj07208_118528's avatar
kj07208_118528
Icon for Cirrus rankCirrus
Mar 12, 2014

Trying to use an iRule to determine the type of authentication in an Access policy

Currently I have an access policy the uses SAML but I have users that have client applications that only understand NTLM or basic auth. I would like for the access policy and irule to determine the incoming request by user agent if it is browser process as normal to a SAML auth else I need to send the client a authentication protocol that it knows how to handle like basic auth. Also I don't want it redirecting to mypolicy.php that will mess the client up.

iRule

when ACCESS_SESSION_STARTED {

log local0.notice "APM: Received a new session from browser: [ACCESS::session data get "session.user.agent"]"

set useWindowsAuth "0"

set user_agent [ACCESS::session data get "session.user.agent"]

if (user_agent == "Microsoft Office Protocol Discovery") {

set useWindowsAuth "1" 

HTTP::header insert "clientless-mode" 1       //I don't want it to redirect to mypolicy.php

? Don't know what to do next?

} }

In the Access policy I don't know where this would have to go? Or would I response with a 401 with the clientless-mode set then in the access check the headers for clientless-mode?

yeah I know that it's kind of hairy but just give it one more shot.

APM
application delivery
deployment
design
devops
iRules
security

1 Reply

Sort By
  • Thomas_Schocka1's avatar
    Thomas_Schocka1
    Icon for Altocumulus rankAltocumulus
    Mar 13, 2014

    Hi kj07208,

     

    You can use HTTP_REQUEST in an iRule to add the clientless-mode header depending on user-agent. You can use ACCESS_SESSION_STARTED to add a custom variable to the policy that indicates the type of access you're receiving (browser vs non-browser).

     

    The access policy would need to contain an empty box with 2 branches, based on expressions with mcget to evaluate the contents of your custom variable.

     

    If browser, you could present a logon page or send a 401 response to collect credentials. If non-browser, you could send a 401 response to collect credentials. The 401 Response-thingy is a block in the visual policy editor. Once passed, it will fill out session.logon.last.username and session.logon.last.password (the password only if the auth supports it: Basic does, NTLM/Kerberos do not) for you. After the 401 you set an SSO Credential Mapping object, then the SAML auth or something else.

     

    This will give you 2 branches: one for browsers, one for non-browsers. The policy actions could very well be the same, but with a normal browser you probably have the option of also using the integrated authentication mechanisms such as NTLM and Kerberos, or simply a logon page.

     

    I'm not sure I'm making any sense to you, but by any means, feel free to tell me if I don't :D

     

    Kind regards,

     

    Thomas