set/overide session values via iRule

Question

we are using the Loop "function" in a APM policy to handle the Login page&nbsp;
in this loop we need to separate different possible login methods (email, loginname,….) which we do in a iRule.
We found some inexplicable behavior when we have the second roundtrip. The changes via iRule remains in the last set value&nbsp;
When I log the value inside the irule it is correct, a Logging Item shows the old value.&nbsp;
Is there any “sync” needed?&nbsp;

seth_cooper · Answer

Hi,&nbsp;
You are running in to BugId 420284.  What happens is iRules run in tmm and Access Policy (login page, etc) run in apd.  When APD get the session variable from tmm it will cache the results and it will not update the cached results even if the variable has change in tmm, the BugId is to change this behavior.  Please open a case with F5 Support asking your company to be linked to the BugId.&nbsp;
Now... you do have some options to workaround this limitation.  If you can share exactly what you are trying to do with a screenshot of the VPE, show all information that would be needed to troubleshoot and provide your iRule I can help come up with a way to make this work for you.&nbsp;
Seth&nbsp;

jk20004 · Answer

Hi Seth,
what we do first is to give to user the option to login with the username, email upn and also older Domain\Username versions, second if we have identified the user we need to know the country (for only one special country) to authenticate on a other DC. We have a iRule Event after the Logon Page and there we get the username from the logonpage
set logonname [string trim [string tolower [ACCESS::session data get {session.logon.last.username}]]]
and after all the logic we set the logontype and the required field via ACCESS::session data set.
Via the BranchRules (of the Irule Event) and the logontype we choose different LDAP Query with corresponding SearchFilter using the Values set in the iRule
I also opened a Case and uploaded a qkview to ihealth

stanislas_piro2 · Answer

Hi,
You can use search filter matching all types:
(|(sAMAccountName=%{session.logon.last.logonname})(UserPrincipalName=%{session.logon.last.logonname})(mail=%{session.logon.last.logonname}))

jk20004 · Answer

yes and no. &nbsp;
Some Parts for example the required trim (don’t know why user are adding spaces at the end of their username) can be done via Variable Assign but there is a little bit more logic inside the iRule when user uses Domain/Username.&nbsp;

stanislas_piro2 · Answer

Variable assign can do lots of things without using iRules:
session.logon.last.username =
set username [string trim [mcget {session.logon.last.logonname}]]; 
if { $username contains "\" } { 
    return [string range $username [expr {[string first "\" $username] +1}] end ];  
} else { return $username }

or you can split username with logon page split option.

Forum Discussion

set/overide session values via iRule

7 Replies

Recent Discussions

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Related Content

Parsing F5 BIG-IP LTM DNS profile statistics and extracting values with Python

Session Persistence based on http header value using iRule

Ending an APM session when browser tab is closed

TLS Stateful vs Stateless Session Resumption

Agility sessions announced