Forum Discussion

phl110_191286's avatar
phl110_191286
Icon for Nimbostratus rankNimbostratus
May 05, 2016

ACCESS_Policy_Agent_Event Remove Session

We have our exchange 2013 environment proxied behind APM via iapp configs. For browser authentication (through OWA and ECP) we have them both going to the same SAML IDP for authentication. However, within the SAML IDP, we have separate security levels. So we have regular /owa access to be just username and password. ECP access however, must go through our multifactor mechanisms.

 

If going to /owa or /ecp from a fresh browser, this works beautifully. However, if a user first authenticates to /owa and then goes to /ecp, APM just automatically logs them in without redirecting the user back to SAML provider to apply the more secure authentication policy. I'm trying to figure out a way to insert an irule event so that when /ecp is accessed (via Landing URI check), the irule event removes any existing access sessions so that APM redirects the user back to SAML to authenticate. I've tried a bunch of different combinations with if/when logic for when http path contains /ecp. But no matter what I try, F5 rejects the irule because "ACCESS:session remove" is not permitted under the ACCESS_Policy_Agent_EVENT. At a basic level, this is essentially what I need:

 

1) when ACCESS_POLICY_AGENT_EVENT { ACCESS::session remove }

 

or

 

2) when ACCESS_POLICY_AGENT_EVENT { when HTTP_REQUEST { if { [HTTP::path] contains "/ecp/" } { ACCESS::session remove } } }

 

Has anyone tried something like this before?

 

  • Your solution won't work with a VPE iRule agent because the Landing URI object is not called for subsequent requests. The access policy only runs once when the user first authenticates. Thus you need to do it in a per-request policy that runs every time or in an iRule not dependent on the VPE agent (i.e.: HTTP_REQUEST or ACCESS_ACL_ALLOWED event).

    As noted above by Seth, 12.1 will have step-up authentication capabilities within per-request policies. This is considered an early access feature. I don't believe it enables SAML Auth for stepup use cases yet though, so you'd need to do the MFA using a simple RADIUS event (not RADIUS challenge, support to come later). The benefit of using this approach instead of SAML Auth redirect is the user won't have to enter username/password again at the IdP.

    In the meantime or if that does not work for you, this iRule should solve your problem. You should remove the VPE iRule agent event you have now. You should also add a variable assign object after your successful MFA SAML auth that sets the session variable session.custom.mfa (used in the iRule) to 1. I suggest that on your VPE Landing URI object you click "change" on the /ecp URI, go to advanced mode, and change from == to starts_with so that it will capture anything starting with /ecp.

    when ACCESS_ACL_ALLOWED {
        if { [HTTP::uri] starts_with "/ecp" } {
            if { [ACCESS::session data get session.custom.mfa] != 1 } {
                ACCESS::session remove
                ACCESS::respond 301 Location "[HTTP::uri]"
            }
        }
    }
    
  • Hi,

     

    Your best bet is to wait for 12.1.0 which should include the "Step-Up" authentication out of the box. This is due to release very soon.

     

    -Seth

     

  • Here's a snippet of VPE layout to help clarify what we're looking to accomplish

     

     

  • Hello,

     

    As a workaround, you can define an IDP 2-factor and another one standard (to handle normal auth).

     

    Then you bind an OWA VS to the standard IDP and the ECP VS to the 2-factor IDP.

     

    The 2-factor IDP is bound to the Standard IDP.

     

    Thus, when you connect to your OWA VS, you use username/password creds to authenticate. And when you go to ECP VS, you are prompted to set the second factor.

     

    This require to separate OWA and ECP by different hostname and reject connection to unwanted uri on each VS. And you need to use more access profiles.

     

  • Graham_Alderson's avatar
    Graham_Alderson
    Historic F5 Account

    Your solution won't work with a VPE iRule agent because the Landing URI object is not called for subsequent requests. The access policy only runs once when the user first authenticates. Thus you need to do it in a per-request policy that runs every time or in an iRule not dependent on the VPE agent (i.e.: HTTP_REQUEST or ACCESS_ACL_ALLOWED event).

    As noted above by Seth, 12.1 will have step-up authentication capabilities within per-request policies. This is considered an early access feature. I don't believe it enables SAML Auth for stepup use cases yet though, so you'd need to do the MFA using a simple RADIUS event (not RADIUS challenge, support to come later). The benefit of using this approach instead of SAML Auth redirect is the user won't have to enter username/password again at the IdP.

    In the meantime or if that does not work for you, this iRule should solve your problem. You should remove the VPE iRule agent event you have now. You should also add a variable assign object after your successful MFA SAML auth that sets the session variable session.custom.mfa (used in the iRule) to 1. I suggest that on your VPE Landing URI object you click "change" on the /ecp URI, go to advanced mode, and change from == to starts_with so that it will capture anything starting with /ecp.

    when ACCESS_ACL_ALLOWED {
        if { [HTTP::uri] starts_with "/ecp" } {
            if { [ACCESS::session data get session.custom.mfa] != 1 } {
                ACCESS::session remove
                ACCESS::respond 301 Location "[HTTP::uri]"
            }
        }
    }
    
    • phl110_191286's avatar
      phl110_191286
      Icon for Nimbostratus rankNimbostratus
      This is exactly what I was looking for. It works perfectly! Thank you so much Graham!