For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

JP_135500's avatar
JP_135500
Icon for Nimbostratus rankNimbostratus
Jan 31, 2014
Solved

Only enable access policy when server response is 401?

We have a site that is a mix of anonymous and authenticated content. The authenticated content lives all over within the site and is maintained by hundreds of content editors, so there's really no pa...
anonymous
application delivery
BIG-IP Access Policy Manager (APM)
devops
iRules
management
security
  • John_Alam_45640's avatar
    John_Alam_45640
    Jan 31, 2014

    TO add to Josh's suggestion.

     

    If you see the 401 from the server in HTTP_RESPONSE, add some cookie or other marker and redirect client back to the VIP. If the cookie or other marker is seen, then do ACCESS::enable.

     

lordgix_167654's avatar
lordgix_167654
Icon for Nimbostratus rankNimbostratus
Sep 08, 2014

Im facing a similar issue:

 

I want to allow all access through a VS without authentication, until one of the backend servers sends an auh request (cert, kerberos, ntlm, user&pass, etc). In that case, I want to authenicate the user.

 

I have to test the iRule above but I believe it will acomplish what I need.

 

The difficulties start here:

 

I want to use SSO, so that if a second application requests authentication, I can chose an SSO method, and re-use the credentials used on the first authentication request. Im not sure this would work as each application would create a different session on APM, cookie wont be the same, so I shouldnt be able to re-use credentials for SSO. Am I right?

 

I was thinking about Multi-Domain SSO configuration on Access Policy properties to solve this issue.

 

Would it be viable? and how could we mix it with the above rule?

 

Thanks!