Session migration on APM

Hi,

Yes I thing you can use an irule event and retrieve a session variable using following command:

ACCESS::session data get [-sid ] [-secure]  -ssid 

For more info: https://devcentral.f5.com/wiki/iRules.ACCESS__session.ashx

you have of course to specify the ssid of the session where you want to retrieve your session variable (password).

But I think It will complicate to manage this asked because, how you will know the ssid of the session where you want to retrieve the passwore (this session will be dynamic for each connection).

What is you contexte?

You can use Identity federation in order to asked pwd only one time or multidomain sso. It could meet you needs.

Regards

This is an additionnal information about Youssef answer.

You can get SID from another session if you know the userkey format.

The default user key format is

set OTHER_POLICY     "/Common/access_policy_1"
set apm_username     [ACCESS::session data get session.logon.last.username]
set apm_cookie_list  [ ACCESS::uuid getsid "${OTHER_POLICY}.$apm_username" ]
set first_session    [ lindex $apm_cookie_list 0 ]
set password         [ ACCESS::session data get -sid first_session -secure session.logon.last.mypass]

There is only one restriction... for security reasons, the session variable session.logon.last.password can't be read from irule... you have to use a variable assign from the first policy to copy session.logon.last.password to session.logon.last.mypass

I should recommend to use multi domain SSO instead of multiple Access Policies if you want to configure linked web sites.

Hi, First of all thank you guys,

This is not a linked websites both pages are on same domain/app. The main issue is caused by chrome and third party ofba (not sharepoint), And Im using form based to push the credentials to it.

The user is extract from smart-card / saml (app works just fine using kdc delegation), the only problem is when the ofba pop-up. and so the user I have all the time and password I use from logon page only for the form,

in explorer it works perfectly and in chrome for some unknown reason opens a second session when ofba page arrives and form sso brakes on error there is no password.

The office is excluded from the apm and ofba are in, as if the office is in flow there is about 10 broken sessions both explorer and chrome. But again in explorer it works perfectly. ..

I didn't fully understand how multiple domain should assist here,

Hi ,

As i thought the Multi-domain didn't helped , But after debugging the client connections i found the following :

When i use chrome :

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36

When the (third party ) OBFA pop up I got :

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729

OR

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; ms-office; MSOffice 16

so looks like the office force me to use "compatible IE" then another session opens and back to SSO issue .

About sharing the password with another session can i use the password in secure mode without decrypt (variable change) it ?

by now your question has changed quite some. i would suggest starting a new one with an explanation as done in your comments and then see if someone can pick it up from there.