Jump to content
Updated Privacy Statement
  • Using NetScaler HTTP Callout and Policies to Implement Dynamic Login

    Aman Sood
    • Validation Status: Validated
      Has Video?: No


    Using NetScaler HTTP Callout and Policies to Implement Dynamic Login


    It is not uncommon to witness the coexistence of both legacy and modern applications within today's business environment. As most modern applications adopt Single Sign-On (SSO) based login authentication, it becomes increasingly crucial for legacy applications, predominantly reliant on form-based login authentication, to also upgrade to more simpler and secure authentication methods. It is also not advisable to rewrite the application to implement a SAML based SSO solution.  


    This article focuses on a use case of how to simulate SSO type login authentication using NetScaler HTTP callout without having to rewrite the application.



    Assume you are the owner of a legacy web application that is accessed via NetScaler. The web application uses form based login to authenticate the users against credentials stored in a database. Customer wants to migrate to an SAML based SSO solution, however it's not possible to add SAML support to this application.


    Old login flow:


    Figure1: Old login flow


    1. User issues a GET request to access the web application.
    2. NetScaler Proxies the request.
    3. Since the user is not authenticated, the user is presented with a login page.
    4. User sends its credentials in the POST request.
    5. NetScaler proxies the request.
    6. Application validates the client credentials and allows access.



    You can create a new flow using NetScaler rewrite policies, variables and HTTP callout, to allow users to access the web application without providing their credentials thus simulating an SSO type experience. Customer has created a new web service “credential management service” which takes the username of the user and sets a random password for that user in the database.


    The new authentication flow using a rewrite policy on NetScaler that simulates an SSO login is shown below.


    ouygi40dZD_G6SLldNbrIG_5cBecaf4VY7QZuNiao26mwj5S4xrrr-IZD9WhNo3u-kQcgdUlQSxDgaUv86ebzB4ZFWMtUNIOXTGC0t4Aam8IelguCh4hf1f2FTze1k9gQfoOclciFZWR7trto-S4ZLQFigure2: New login flow 


    New login flow:


    1. User is already authenticated via SAML SSO.
    2. The application is always accessed using the same NetScaler ADC/HA-Pair. 

    Login Flow:

    1. User issues a GET request to access the web application and passes its username in the request
    2. NetScaler issues an HTTP callout to the credential management service and passes the username of the SAML authenticated user in the callout request
    3. The credential management service generates a random password for this user and sets this password in the database
    4. The credential management service returns the username and password to NetScaler in the callout response
    5. NetScaler does the below processing: 
      1. Modifies the GET request to a POST
      2. Adds the response received from the credential service in the body
      3. Add “content-length” header set to the length of response received from the credential service
      4. Add “content-type” header to indicate that the content is a simple form using the default application/x-www-form-urlencoded content type
      5. NetScaler sends the request out to the web server
    6. Application validates the credentials and permits the user.

    NetScaler Configuration:

    The new authentication login flow can be achieved by using HTTP callout, variables and rewrite features available in NetScaler

    1. Create a HTTP callout “permit_user” to call the credential management service and pass the username of the user to this service /permituser URI. In our example the customer is passing the username as a query string in the GET request. 

    add policy httpCallout permit_user -IPAddress -port 8081 -returnType TEXT -urlStemExpr "\"/permituser\?\"+HTTP.REQ.URL.QUERY" -scheme http -resultExpr "HTTP.RES.BODY(64000)"

    1. Create a variable “var_callout_response” in NetScaler. The type of this variable is “text”, max length is 64000 and scope is “transaction”.  Transaction scope ensures that this variable is available only during the time of this transaction and is destroyed at the end of this transaction.

    add ns variable var_callout_response -type "text(64000)" -scope transaction

    1. Create an assignment for the “store_callout_response” and set it to the response of the HTTP callout.

    add ns assignment store_callout_action -variable "$var_callout_response" -set "sys.http_callout(permit_user)"

    1. Create rewrite actions
      1. Change the http method from GET to POST

    add rewrite action act_change_http_method_to_post replace HTTP.REQ.METHOD "\"POST\""

    1. Insert the response of the HTTP callout in the body

    add rewrite action act_add_callout_response_in_body insert_after "HTTP.REQ.BODY(0)" "$var_callout_response"

    1. Add the “content-length” header

    add rewrite action act_add_content_length insert_http_header content-length "$var_callout_response.LENGTH"

    1. Add the “content-type” header to indicate form data

    add rewrite action act_add_content_type insert_http_header content-type "\"application/x-www-form-urlencoded\""

    1. Create a rewrite policy 
      1. Assign the value to the “var_callout_response” variable by calling the HTTP callout

    add rewrite policy pol_store_callout_action True store_callout_action

    1. Policy with action for changing the GET method to POST

    add rewrite policy pol_change_req_method TRUE act_change_http_method_to_post

    1. Policy with action for setting the the callout response in the body 

    add rewrite policy pol_set_callout_body TRUE act_add_callout_response_in_body

    1. Policy with action for setting the content-length

    add rewrite policy pol_set_content_length TRUE act_add_content_length

    1. Policy with action for setting the content-type

    add rewrite policy pol_set_content_type TRUE act_add_content_type

    1. Attach the policies to the load balancing virtual server for this application.

    bind lb vserver "WebApp-VirtSvr" -policyName pol_store_callout_action -priority 100 -gotoPriorityExpression NEXT -type REQUEST

    bind lb vserver "WebApp-VirtSvr" -policyName pol_change_req_method -priority 110 -gotoPriorityExpression NEXT -type REQUEST

    bind lb vserver "WebApp-VirtSvr" -policyName pol_set_callout_body -priority 120 -gotoPriorityExpression NEXT -type REQUEST

    bind lb vserver "WebApp-VirtSvr" -policyName pol_set_content_length -priority 130 -gotoPriorityExpression NEXT -type REQUEST

    bind lb vserver "WebApp-VirtSvr" -policyName  pol_set_content_type -priority 140 -gotoPriorityExpression END -type REQUEST




    User Feedback

    Recommended Comments

    There are no comments to display.

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

  • Create New...