F5 APM - HTTP Auth issues with redirecting token.
Issue: We have an application that houses a User Directory Services and we use a HTTP form based auth profile. We set the standard config for this.
Everything looks like its going to work and the auth gets to the server, BUT, what seems like a problem is the Successful Logon Detection Match Value
.:8080/otdsws/login?RFA=PostTicket%3A%3Ahttp%3A%2F%2Fwecma0021..%3A8080%2Fwebaccess%2F%3Fwahash%3D%2523tab%253Dcontent
The idea is that the auth would be sent to wecma0020, a token is received back and redirected to wecma0021 with that token. From the webserver, works great, but when we add this into the APM for successful detection, it just spins. When I look at Managed Sessions with my user id, I get the following:
2016-03-25 11:56:38Username ‘_*@******.com' 2016-03-25 11:57:21Following rule 'fallback' from item 'Message Box(1)' to ending 'Allow' 2016-03-25 11:57:21Access policy result: LTM+APM_Mode 2016-03-25 11:57:22\N: Could not find SSO username, check SSO credential mapping agent setting 2016-03-25 11:57:22\N: SSO username is empty - SSO is disabled 2016-03-25 11:57:23\N: Could not find SSO username, check SSO credential mapping agent setting 2016-03-25 11:57:23\N: SSO username is empty - SSO is disabled
Currently we are using a Kerberos SSO config but started thinking we might need Forms or Form-Client initiated SSO. But don’t know if that is the correct direction or not. Any value would be greatly appreciated.