Forum Discussion

LarsS__178188's avatar
LarsS__178188
Icon for Nimbostratus rankNimbostratus
Mar 22, 2016

APM - Delete SSO credentials after login

Hello everybody,

 

I couldn't find any solution on my issue so far, so I try my luck here.

 

We use APM to access a SAP Portal. To realize SSO with the F5 and the SAP Portal login side, our One-Time-Password is made valid for 5 sec. After you have logged in to the F5 (Radius Auth.), username + password are forwarded to the SAP Portal with SSO credential mapping. This makes the OTP to a two-time-password. Not the nicest thing, but it works. From now on, I have a valid session on the F5 with the OTP is stored in the credential mapping, and I have a separate session on the SAP Portal with a session cookie.

 

Behind the SAP Portal are various Systems like Lotus iNotes, a CRM and various other SAP Systems (ERP, BW, PI, etc.). All those systems work fine as they use named user accounts, based on the SAP Portal session Cookie. Except for the business warehouse System. We do have appr. 1200 named users in the SAP Portal, but a user/licence limit of about 200 in the BW system! That's why the programmers have decided to use a general/anonymous service user to display statistics, analysis, etc., and directly coded the user into the HTTP request towards the BW system. Ugly, I know.

 

Both, the SAP Portal and the BW System are based on the JAVA stack of SAP and use the fieldnames "j_user" and "j_password" at the loginpage.

 

But, the F5 SSO seems to be faster then the posted service user and password in the URL. She uses the username and OTP from the initial login, because the fieldnames from the BW are the same: j_user and j_password! If I remove the SSO from APM, so I have to Login to the F5 APM and the SAP Portal separately, the BW application later on works fine.

 

Sorry for the long explanations, but this leads me to my questions. Is it somehow possible to delete the cached SSO credentials after the APM has passed Login Page -> Radius Auth. -> SSO Credential Mapping -> Webtop and Links Assign?

 

I know that the F5 works correctly here, but perhaps there's somehow a chance to have a workaround in place with F5 until the application issue is solved?!

 

Many thanks in advance Lars

 

  • Is the BW app a pool or a weblink or what? If SSO is being applied that means the request must be passing through the F5, so on whatever vip gets the request, check the HTTP_REQUEST event [HTTP::uri] and apply SSO::disable accordingly.

    e.g.

    when HTTP_REQUEST {
      if { [HTTP::uri] starts_with '/blahblahblah' } {
        WEBSSO::disable
      }
    }
    

    or

       when ACCESS_ACL_ALLOWED {
          if { [HTTP::uri] starts_with '/blahblahblah' } {
            WEBSSO::disable
          }
        }
    

    similar depending on your app and f5 config

  • Josiah_39459's avatar
    Josiah_39459
    Historic F5 Account

    Is the BW app a pool or a weblink or what? If SSO is being applied that means the request must be passing through the F5, so on whatever vip gets the request, check the HTTP_REQUEST event [HTTP::uri] and apply SSO::disable accordingly.

    e.g.

    when HTTP_REQUEST {
      if { [HTTP::uri] starts_with '/blahblahblah' } {
        WEBSSO::disable
      }
    }
    

    or

       when ACCESS_ACL_ALLOWED {
          if { [HTTP::uri] starts_with '/blahblahblah' } {
            WEBSSO::disable
          }
        }
    

    similar depending on your app and f5 config

    • LarsS__178188's avatar
      LarsS__178188
      Icon for Nimbostratus rankNimbostratus
      The BW System is not a pool. The SAP Portal only delivers a framework and forwards URI links to the Client. The Client himself is responsible for calling those embedded applications like the BW. In this case, the F5 as a reverse proxy is responsible for calling them and inserts the credentials from the SSO credential mapping. I didn't work much with iRules so far, so I didn't know the SSO::disable Option. I'll check it out and come back to it afterwards. Many thanks for this hint! Lars
    • Walter_Kacynsk1's avatar
      Walter_Kacynsk1
      Icon for Nimbostratus rankNimbostratus
      The proper command name is WEBSSO::disable -- https://clouddocs.f5.com/api/irules/WEBSSO__disable.html
  • There are many ways to accomplish this. Here is a method that I have used to hardcode static accounts. The downside to this approach is that the password would be coded in plain text in the big-ip configuration. Depending on your setup this may or may not be a problem. I chose not to use the HTTP Basic Auth SSO object since it requires more coordination and the task can be solved with a single iRule.

    when ACCESS_POLICY_COMPLETED {
        switch [ACCESS::session data get "session.policy.result"] {
            "allow" {
                 Setup BW SSO Object with a custom session variable that stores the base64 encoded version of username:password
                ACCESS::session data set -secure session.custom.sso.bwAuth [b64encode StaticUsername:StaticPassword] 
            }
        }
    }
    
    when ACCESS_ACL_ALLOWED {
        switch -glob [HTTP::uri] {
            "/bw*" {
                 Insert the pre-constructed Basic Auth header for this URL
                HTTP::header replace "Authorization" "Basic [ACCESS::session data get -secure session.custom.sso.bwAuth]"
            }
        }
    }