Forum Discussion

vinodhkumarc_28's avatar
vinodhkumarc_28
Icon for Nimbostratus rankNimbostratus
Mar 19, 2019

F5 APM HTTP Form Based Authentication

Hi All,

 

We have requirement and request to help with your views to achieve the requirement using F5 LTM+APM.

 

Environment: Legacy Application integrated with internal Active Directory, with form based authentication. F5 LTM+APM to be deployed as reverse proxy.

 

Requirement: Internal users to be created in Internal AD and allowed access to the legacy application. For third party users access from internet, User directory is to be created in Cloud and authentication status to be shared with F5 reverse proxy. Now, after successful authentication F5 will have to submit HTTP Form based authentication page from the legacy application with a Read only internal AD account (to be configured in F5 configuration). Will it be possible to insert the AD account credentials in the F5 response to application authentication page, so that user is able to access the Legacy application with out AD account. This will avoid creating external users to be created in the internal Active Directory.

 

Can you please advise if this requirement can be achieved..

 

Thank you.

 

APM
irule
LTM
security

3 Replies

Sort By
  • AMiles_377865's avatar
    AMiles_377865
    Icon for Cirrocumulus rankCirrocumulus
    Mar 20, 2019

    Hello Vinodh,

     

    There is a well-documented method for performing authentication from multiple AD domains using user input that Cody Green posted, Multiple Domain Authentication but this method does rely on user input and would not be transparent to your end-user.

     

    There's no particular reason this VPE set-up can't be changed to other forms of authentication as well, including your Cloud authentication. From the sound of it, you might want to look into setting up a SAML federation, with the F5 as a service provider and whatever cloud authentication system you have as the identity provider.

     

    At a high-level, users would hit your logon page, and select either local or cloud authentication. Based on that setting, the user would navigate to either your Local AD auth or your Federated auth.

     

    Best of luck,

     

    Austin

     

    • vinodhkumarc_28's avatar
      vinodhkumarc_28
      Icon for Nimbostratus rankNimbostratus
      Mar 23, 2019

      Hi Austin,

       

      Thanks a lot for your reply.

       

      The issue here is the legacy application is integrated with local AD and the IT Security team now wants to remove the contractor accounts from local domain. But, there is no way for the application authentication to be altered due to limitations. Now, we will be able to authenticate contractors with external authentication integrating with F5, but to access the legacy application still the connection requires a local AD account, which prompts for username/password page. So I was checking if its possible to insert a service account using iRule to all successfully authenticated contractor sessions to allow access to the legacy application.

       

      Regards, Vinodh

       

    • AMiles_377865's avatar
      AMiles_377865
      Icon for Cirrocumulus rankCirrocumulus
      Mar 26, 2019

      Thank you for clarifying Vinodh, I understand your problem a little better. I can't think of any way to dynamically insert the credentials into AD transparently. Any solution i can come up with involves changing the configuration of the AD auth at least a little, which is against your limitations.

       

      The best thing I could imagine right now would be to call an iRule from an Agent Event after your consultants have successfully been authenticated. This would assign them the variables needed for the shared service account. But without re-configuring the legacy AD for SSO I'm not sure you can do anything with that beyond having the user log in manually. This could maybe be done by having a message box provide the contractor with the login info, though this solution is not very secure.

       

      Let me know if you figure something out. I'd be interested in whatever solution you come up with.