Forum Discussion

David_E__Smith_'s avatar
David_E__Smith_
Icon for Nimbostratus rankNimbostratus
Jul 07, 2015

APM domains: How to switch based on user input?

As part of a project to migrate some users away from Microsoft ISA Server to F5 APM, I'm trying to replicate how a certain form works, to keep end-users from noticing and/or panicking. 🙂

The form has "username" and "password" text boxes, and a set of radio buttons for "domain". That's all easy enough. The user can select a domain, enter credentials, and things work. In the VPE, the logon form has several branches like this:

expr { [ mcget "session.logon.last.domain" ] equals "DOMAINNAMEHERE" }

After that, there are separate AD Auth actions, and suitable SSO mappings. Almost everything works. Almost ...

There's an edge case that doesn't work. If you select one domain, attempt to login, then switch domains, APM doesn't catch that, and keeps trying to authenticate against whichever domain you selected first.

How can I adjust my policy, to handle the case where the user switches the "domain" radio button?

3 Replies

  • There is no way to allow user to change parameters between logon page and auth box...

     

    When authentication server reject authentication and max auth attempts not reached, VPE goes back to logon page reminding path.

     

    The only solution is to configure authentication max attempts to 1 and force new session between attempts.

     

  • That's certainly surprising. Since username and password are form variables that can be changed (if you mistype your password, for instance), I'd certainly expect to be able to change other inputs too. But if I can't, so be it...

    Thoughts/comments on something like this as a workaround? This is intended to terminate the existing session, then bounce the user back to whatever page they originally requested (which should implicitly start a new session).

    when ACL_ACCESS_DENIED {
      ACCESS::session remove
      HTTP::redirect [HTTP::uri]
    }
    
  • Add a VPE Ending with following configuration: Type : redirect URL : %{session.server.landinguri}

     

    Configure fallback branch to this ending