Forum Discussion

Tony_Kroukamp_1's avatar
Tony_Kroukamp_1
Icon for Nimbostratus rankNimbostratus
Jul 29, 2014

Single Sign on from Full Webtop to second VS with Full Webtop

I’m having an issue I’m hoping someone can provide some advice on.

 

I have a VS with APM profile which brings users to a (we’ll call it the ‘Master’) WebTop with links to SharePoint and OWA amongst others. The SharePoint app is a WebTop link to another VS - I have used a Multi-Domain SSO config to facilitate SSO to the SharePoint VS and this works great.

 

Then I used the Citrix iApp to set up a VS and APM profile for Citrix apps. It works great and I see all my Citrix apps in the WebTop after successfully authenticating.

 

Now I need to add a link to the Master WebTop to direct users to the Citrix VS and single sign them on. I configured this just as I did for SharePoint, with Multi-Domain SSO, but it gets stuck in a loop. The F5 repeatedly prompts for credentials, authenticates me, then prompts me again.

 

So basically, is it possible to SSO from one WebTop to another. If so, how?

 

(by the way, there are so many Citrix apps that I don't want to use one WebTop for Citrix apps and non Citrix apps. I know I can do this, but the WebTop gets too cluttered and confusing).

 

Thanks in advance!

 

APM
application delivery
design
LTM
security

7 Replies

Sort By
  • Arnaud_Lemaire's avatar
    Arnaud_Lemaire
    Icon for Employee rankEmployee
    Jul 29, 2014

    I think we cannot chain APMs webtop without doing heavy cookie rewriting. Could you try to use webtop link pointing to you Citrix VS passing credentials through the url ? you could setup your link like this : http://vs citrix ip/?login=%{session.logon.last.username}&password=%{session.logon.last.mypassword}

     

    and add a variable assign to setup session.logon.last.mypassword just before resource assign.

     

    password would be clear text for the moment, but if it's working we can move to another step.

     

  • Tony_Kroukamp_1's avatar
    Tony_Kroukamp_1
    Icon for Nimbostratus rankNimbostratus
    Jul 29, 2014

    OK, so just to make sure I understand you. You want to get the credentials over to the second VS, and you are doing this by including them in the URL. Then I would have to write an iRule that will extract the credentials from the URL and dump them into session.logon.last.username and session.logon.last.password variables in this second VS? Any advice on the iRule I would need to do this?

     

    Thanks Tony

     

  • Tony_Kroukamp_1's avatar
    Tony_Kroukamp_1
    Icon for Nimbostratus rankNimbostratus
    Jul 29, 2014

    Actually, wrote an iRule that makes this work:

     

    when ACCESS_SESSION_STARTED {

     

    set username [URI::query [HTTP::uri] username]

     

    set password [URI::query [HTTP::uri] password]

     

    ACCESS::session data set session.logon.last.username $username

     

    ACCESS::session data set session.logon.last.password $password

     

    }

     

    So now the next question is how do I encrypt this and keep things safe?

     

  • Arnaud_Lemaire's avatar
    Arnaud_Lemaire
    Icon for Employee rankEmployee
    Jul 30, 2014

    Tony, we could propose an alternative, instead of having username/password in the query we could just send the APM session id which can be used to retrieve username and password.

    1. i change the webtoplink to http://10.0.10.40/?id=%{session.user.mysid}

    2 . on first vs if use this irule : 

    when ACCESS_SESSION_STARTED {
    log local0. "vs [IP::local_addr] newsid [ACCESS::session sid]"
    ACCESS::session data set session.user.mysid [ACCESS::session sid]
}

    3 . on second vs (citrix for you) i use this irule : 

    when ACCESS_SESSION_STARTED { 

set firstvssid [URI::query [HTTP::uri] id]
log local0. "vs [IP::local_addr] firtsid $firstvssid"
setting first session username into existing session
ACCESS::session data set session.logon.last.username [ACCESS::session data get -sid $firstvssid session.logon.last.username]
setting first session password into existing session
ACCESS::session data set session.logon.last.password [ACCESS::session data get -sid $firstvssid -secure session.logon.last.password]

}
  • Tony_Kroukamp_1's avatar
    Tony_Kroukamp_1
    Icon for Nimbostratus rankNimbostratus
    Jul 30, 2014

    Thanks for this Arnaud

     

    I'm close to getting this working, but there is an error in your second iRule. It is to do with the "-secure" part. If I remove that the error goes away, but the password is hashed and I can't use it. The error in the logs is this:

     

    01220001:3: TCL error: /Common/SID_TRANSFER_DESTINATION_VS - variable lookup failed (line 1)Illegal argument (line 1) (line 1) invoked from within "ACCESS::session data get -sid $firstvssid -secure session.logon.last.password"

     

    Let me know what you think.

     

    Thanks Tony

     

  • Arnaud_Lemaire's avatar
    Arnaud_Lemaire
    Icon for Employee rankEmployee
    Jul 31, 2014

    syntax should be ok, whatever i'm still struggling with the -secure option and i can't get a working end to end configuration. i managed to get it working with following modifications: i changed the irule on the second VS by :

    when ACCESS_POLICY_AGENT_EVENT { 

set myuri [ACCESS::session data get  session.server.landinguri]
set firstvssid [URI::query $myuri id]
log local0. "vs [IP::local_addr] firtsid $firstvssid"

setting first session username into existing session
ACCESS::session data set session.logon.last.username [ACCESS::session data get -sid $firstvssid session.logon.last.username]
setting first session password into existing session
ACCESS::session data set -secure session.logon.last.password [ACCESS::session data get -sid $firstvssid session.logon.last.mypassword]

}

    1. on the first VS policy i added a variable assign following logon page : session.logon.last.mypassword = mcget -secure {session.logon.last.password}

    2. one the second vs policy i added a irule event just after the start