Forum Discussion

David_G__33241's avatar
David_G__33241
Icon for Nimbostratus rankNimbostratus
Feb 02, 2016

SSO iRule for Portal Link

I have a Portal link for an internal application that uses CA technologies Single Sign-On (formerly SiteMinder). The SiteMinder server front ends all of the traffic to the application server. The SSO resource item is setup to watch for /siteminderagent/ntlm/creds.ntc\?CHALLENGE=&SMAGENTNAME=* at which point the SSO profile is applied and all is good.

The problem is that the application itself was originally designed to maintain its own user database and because of some legacy coding it will still occasionally prompt the user for credentials. No matter what the user types in it will fail because the application does not maintain a user database anymore. (What can I say, I didn’t write the code.) When this happens, the path will always be something like /cmobileweb/authenticate*. I have a resource item to specifically NOT apply SSO for this path because if I do respond with credentials SSO will become disabled for the rest of the session as per F5 design.

Since I do not respond to the credential request with SSO, the user will see the standard browser popup asking for a username and password. At this point the only option that allows the user to continue is to hit the Cancel button and because of crappy code, the user will actually be prompted six times.

What I would like to do is associate an iRule to the virtual which can look for the authentication request and automagically respond with the equivalent of the user hitting the cancel button. Unfortunately my HTML is not strong enough and I need some guidance. I assume that to start with I need to look at the headers using when HTTP_REQUEST and HTTP::header names/values and find the one that is prompting the user to authenticate, but I don’t know how to prevent the user from getting the popup and have the iRule respond on behalf of the user.

Any help would be appreciated.

Thanks

APM 11.5.3

 

apm resource portal-access cmobile_portal-access {
acl-order 46
application-uri http://server.company.com/cmobileweb/default.aspx
customization-group cmobile_portal-access_resource_web_app_customization
items {
    item {
        compression-type none
        home-tab false
        host server.company.com
        order 1
        paths /cmobileweb/*
        subnet 0.0.0.0/0
    }
    item0 {
        home-tab false
        host server.company.com
        order 3
        paths /siteminderagent/ntlm/creds.ntc\?CHALLENGE=&SMAGENTNAME=*
        port https
        scheme https
        sso ntlm-v2_sso
        subnet 0.0.0.0/0
    }
    item1 {
        home-tab false
        host server.company.com
        order 2
        paths /wfmportal/*
        subnet 0.0.0.0/0
    }
}
path-match-case false
publish-on-webtop true
scheme-patching true
}

 

APM
application delivery

1 Reply

Sort By
  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    Feb 02, 2016

    Are the authentication prompts normal 401s from the backend server?

     

    If so, you could probably have the BIG-IP detect them and use HTTP::retry to retry the serverside request until it was no longer a 401, assuming the server will switch over to a 200 after X number of tries, instead of just switching over to a 403.

     

    See this page for some examples:

     

    https://devcentral.f5.com/wiki/iRules.HTTP__retry.ashx