APM: Inserting headers for back-end servers to process.

Question

I'm trying to take a couple pieces of information out of a consumed SAML assertion on the F5 as the service provider and insert them as headers to the back-end servers. Here is one of the variables in APM that I would like to pass to the servers, session.saml.last.nameIDValue. I'm just having a difficult time trying to figure out how to insert this as headers and it make it to the back-end server's. I tried this, which creates the headers because it logs them after there created, but they never make it to the application server after the APM policy is complete. Any help you guys could provide would be great.
when ACCESS_POLICY_AGENT_EVENT {
    switch [ACCESS::policy agent_id] {
        "HEADERINSERT" {
            log local0. "session.saml.last.nameIDValue: [ACCESS::session data get session.saml.last.nameIDValue]"
            log local0. "session.saml.last.attr.name.xprole: [ACCESS::session data get session.saml.last.attr.name.xprole]"
            HTTP::header insert test1 "[ACCESS::session data get session.saml.last.nameIDValue]"
            HTTP::header insert test2 "[ACCESS::session data get session.saml.last.attr.name.xprole]"
            log local0. "TEST1: [HTTP::header value test1]"
            log local0. "TEST2: [HTTP::header value test2]"
        }
    }
}

dubdub · Answer

Hi Brett,&nbsp;
Not sure if it is of any help, but when I insert SAML values into HTTP headers, I use the ACCESS_ACL_ALLOWED and HTTP_REQUEST events for it.  Have you tried test headers in either of those events to see if they get through to the backend web servers?&nbsp;
Thanks,
Jen&nbsp;

bdavis · Answer

So i can insert them and then log them, but they never make it to the application. So I put a logging statement to log all headers in the when HTTP_REQUEST_SEND { and they are not there. So something is happening to them between the policy allow and when they actually get sent to the servers.

kj07208_118528 · Answer

I had the same problem, I created an IIS web site enabled NTLM and did the headers as you did.
This worked for me, another problem is redirects, are you doing any redirects? What type of SSO configuration do you have?&nbsp;

bdavis · Answer

Thanks guys the actual issue was on the server-side. I was able to insert them in ACCESS_ACL_ALLOWED event as suggested initial above. But when I did it there where issues on the application side and it is now fixed. However the above irule that you provided dubdub made me think I might want to check for existing sessions and re-insert the headers for these, however the application generates a JSESSIONID to track the session after authentication so I may not ever need to. Thank you guys for your help.

Forum Discussion

APM: Inserting headers for back-end servers to process.

4 Replies

Recent Discussions

Failed to convert character dclid=%EDclid!

ASM - Parent policy vs OWASPcompliance

Rewrite uri translation not working

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

APM OCSP Responder Issues

Related Content

Stop Wappalyzer from detecting my back end server technologies

qkview process stuck

F5 Distributed Cloud - Service Policy - Header Matching Logic & Processing

iRule Processing query

Knowledge sharing: F5 Software Upgrade/RMA process