apm sso inline javascript

Question

Hi all,&nbsp;
I'm trying to implement APM+SSO (form-based client-initiated) on a web-application.
The form detection seems to work fine, because I can see injected Javascript in the page source on client's browser, but I always get an error message "Content Security Policy: The page's settings blocked the loading of a resource: An attempt to execute inline scripts has been blocked" in Firefox or similar message in Google Chrome. The result is, that the normal form is displayed.&nbsp;
I configured the policy with this guide:
apm-authentication-single-sign-on-11-5-0&nbsp;
Any hints how I can resolve this issue?&nbsp;
Many thanks,
Philipp&nbsp;

kunjan_118660 · Answer

For Firefox, you can disable content security policy.. of course it brings down the security.&nbsp;&nbsp;
In address bar, type about:config  and search for security.mixed_content.block_active_content. Double-click it and change its value to false.&nbsp;&nbsp;
Or you can try Form based SSO, instead of the client initiated Form SSO.&nbsp;

kunjan · Answer

For Firefox, you can disable content security policy.. of course it brings down the security.&nbsp;&nbsp;
In address bar, type about:config  and search for security.mixed_content.block_active_content. Double-click it and change its value to false.&nbsp;&nbsp;
Or you can try Form based SSO, instead of the client initiated Form SSO.&nbsp;

philipp_stadler · Answer

I already tried form based SSO, but I could catch the logon form by URI, with client-initiated form-based I did it by header field (Referrer), which worked ok.
I think turning of security isn't a way to go for a public application.

regards,
Philipp

philipp_stadler · Answer

I already tried form based SSO, but I could catch the logon form by URI, with client-initiated form-based I did it by header field (Referrer), which worked ok.
I think turning of security isn't a way to go for a public application.

regards,
Philipp

michael_jenkins · Answer

I've just run into the same issue with APM+SSO and it's due to CSP (Content Security Policy). The application is sending a header that specifies where different things are allowed to be loaded from, like scripts, style sheets, fonts, and images). Newer, compliant browsers will interpret that header and depending on the settings, will disable inline javascript, which is how the APM adds if forms sso.&nbsp;
In order to fix this, you'll need to either modify the CSP directive for the application, or you can modify it through an iRule. See the following sites for more information on what CSP is and does. Unless the F5 engineers can update the APM SSO to use javascript files for the SSO stuff, this issue may become more prevalent over time with the standardization of HTML5 applications.&nbsp;
http://www.html5rocks.com/en/tutorials/security/content-security-policy/http://www.cspplayground.com/home
Hope this helps.&nbsp;

Forum Discussion

apm sso inline javascript

5 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Javascript Insert v10+

AWS S3 Proxy: JavaScript iRuleLX

APM profile modern type javascript code

APM variable assign examples

Mining JavaScript Events for Fun & (Preventing Someone Else’s) Profit