Forum Discussion

Peter_Baumann_5's avatar
Peter_Baumann_5
Icon for Nimbostratus rankNimbostratus
Jun 22, 2015

APM: SSO not able to setup for phpipam

Hi all, Since a longer time I try to setup SSO for phpipam web-app, demo here: http://phpipam.net/phpipam-demo/

 

I use this web-app to try the more complex SSO setups since phpipam using a modern login form with javascript etc.

 

Does anyone have a working config for this common used tool in the oss world? I can post logfiles etc. if someone is able to help me with this. Actually I'm doing tests with "Forms - Client Initiated" but I cannot get this to work.

 

Thanks, Peter

 

APM
authentication
security
SSO

8 Replies

Sort By
  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Jun 23, 2015
    what does your logging say, does it detect the page, does it attempt a login? you gotta check your /var/log/apm for this, for some reason it doesn't show in the session log in the GUI.
  • Peter_Baumann_5's avatar
    Peter_Baumann_5
    Icon for Nimbostratus rankNimbostratus
    Jun 25, 2015
    What I get is the following: Jun 25 11:36:15 bigip1 info tmm2[11400]: 014d0002:6: 3208cc09: SSOv2 Form submitted, config /LNB/sso_client_lnb form IPAM Jun 25 11:36:15 bigip1 warning tmm2[11400]: 014d0002:4: 3208cc09: SSOv2 Logon failed, config /LNB/sso_client_lnb form IPAM Matching, sending, Form Variables etc. is ok, I checked it many times. So with the above messages with logging to debug I don't get more informations why it is now working. How can I do more troubleshooting of "Logon failed" SSO Messages?
  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Jun 26, 2015

    can you check on the server if a login attempt is made and if so if it is wrong in some way?

     

    i would be nice if there was just a little more debugging, but im afraid there isn't.

     

  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    Jun 26, 2015

    Have you tried form based SSO with form-username as ipamusername and form-password as ipampassword?

     

    • Peter_Baumann's avatar
      Peter_Baumann
      Icon for Cirrostratus rankCirrostratus
      Aug 26, 2015
      Hi kunjan, I tried both form based SSO profiles without success. Now I have another PoC Installation to do for a customer were I only could get 1 of 3 applications to work with sso. The whole sso thing is somewhat unusable in customer environments... it's bad :-(
  • kunjan_118660's avatar
    kunjan_118660
    Icon for Cumulonimbus rankCumulonimbus
    Jun 26, 2015

    Have you tried form based SSO with form-username as ipamusername and form-password as ipampassword?

     

    • Peter_Baumann's avatar
      Peter_Baumann
      Icon for Cirrostratus rankCirrostratus
      Aug 26, 2015
      Hi kunjan, I tried both form based SSO profiles without success. Now I have another PoC Installation to do for a customer were I only could get 1 of 3 applications to work with sso. The whole sso thing is somewhat unusable in customer environments... it's bad :-(
  • Drew_24528's avatar
    Drew_24528
    Icon for Nimbostratus rankNimbostratus
    Sep 01, 2016

    I just ran into this issue.

    This can be solved with an iRule as the phpipam application doesn't redirect on a successful login.

    when HTTP_RESPONSE {

 Trigger collection for up to 1MB of data
if {[HTTP::header exists "Content-Length"] && [HTTP::header "Content-Length"] <= 1048576}{
 set content_length [HTTP::header "Content-Length"]
} else {
  set content_length 1048576
}
 Check if $content_length is not set to 0
if { $content_length > 0} {
  HTTP::collect $content_length
 }
}

when HTTP_RESPONSE_DATA {
    if { [HTTP::payload] contains "Login successful"}{
            log local0. "Login successful"
            HTTP::redirect http://ipam.domain.com/phpipam/
    }
}

    Once this rule is applied to the VIP with the APM policy you can use a regular forms SSO profile with the following values:

    apm sso form-based sso_apm_ipam.domain.com_forms {
form-action /phpipam/app/login/login_check.php
form-password ipampassword
form-username ipamusername
}
passthru true
start-uri /phpipam/\?page=login
}