Forum Discussion
I have taken this a bit further. What I am trying to do is to trigger the WEBSSO:disable event so that F5 stops providing the credentials using SSO to the backend StoreFront servers.
The original iRule is as follows:
when HTTP_REQUEST {
set uri [HTTP::uri]
set host [HTTP::host]
}
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
set citrix_logout 0
}
when ACCESS_ACL_ALLOWED {
set type [ACCESS::session data get session.client.type]
if { !(${type} starts_with "citrix") } {
if { ${uri} == "/" } {
log local0. "Redirecting to /Citrix/InternalWeb/"
ACCESS::respond 302 Location "https://${host}/Citrix/InternalWeb/"
}
}
if { ${uri} contains "Logoff" } {
set citrix_logout 1
set http_host ${host}
}
}
when HTTP_RESPONSE {
if { $citrix_logout eq 1 } {
HTTP::redirect "https://$http_host/"
}
}
Now back to trying to trigger the WEBSSO:disable event after the user gets logged on for the 1st time. My first thought was to try and do it when ACCESS_ACL_ALLOWED is triggered. So I tried the following mod:
when ACCESS_ACL_ALLOWED {
set type [ACCESS::session data get session.client.type]
if { !(${type} starts_with "citrix") } {
if { ${uri} == "/" } {
log local0. "Redirecting to /Citrix/InternalWeb/"
ACCESS::respond 302 Location "https://${host}/Citrix/InternalWeb/"
}
}
if { ${uri} contains "Logoff" } {
WEBSSO:disable
set citrix_logout 1
set http_host ${host}
}
}
That did nothing. So after X number of seconds when the Citrix StoreFront pop up message appears that the user is logged off and the user clicks on the LogOn button as a follow up, user gets authenticated without typing anything since the SSO is still very much active. 2nd attempt was to trigger the WEBSSO:disable after 15 seconds on the ACCESS_ACL_ALLOWED so that next time the user tries to log on, there is no WEBSSO. So I tried the following:
when ACCESS_ACL_ALLOWED {
set type [ACCESS::session data get session.client.type]
after 15000 {
WEBSSO::disable
}
if { !(${type} starts_with "citrix") } {
if { ${uri} == "/" } {
log local0. "Redirecting to /Citrix/InternalWeb/"
ACCESS::respond 302 Location "https://${host}/Citrix/InternalWeb/"
}
}
if { ${uri} contains "Logoff" } {
set citrix_logout 1
set http_host ${host}
}
}
Again, that failed since the user was able to log on without typing anything after the StoreFront timeout was triggered.
Since I had doubts of the WEBSSO:disable functionality I also tried as a test the following:
when ACCESS_ACL_ALLOWED {
WEBSSO:disable
set type [ACCESS::session data get session.client.type]
if { !(${type} starts_with "citrix") } {
if { ${uri} == "/" } {
log local0. "Redirecting to /Citrix/InternalWeb/"
ACCESS::respond 302 Location "https://${host}/Citrix/InternalWeb/"
}
}
if { ${uri} contains "Logoff" } {
set citrix_logout 1
set http_host ${host}
}
}
That works but it is not suitable for me because it kills SSO immediatelly on the 1st logon. So the user logs on to F5 APM and then user has to re-type credentials on StoreFront. That is not what I am after. The end goal is that the SSO is used on the 1st logon, but never again if Citrix StoreFront times out and presents the internal Citrix Log On screen.
Any help would be gratly appreciated.