It is not uncommon to witness the coexistence of both legacy and modern applications within today's business environment. As most modern applications adopt Single Sign-On (SSO) based login authentication, it becomes increasingly crucial for legacy applications, predominantly reliant on form-based login authentication, to also upgrade to more simpler and secure authentication methods. It is also not advisable to rewrite the application to implement a SAML based SSO solution.
This article focuses on a use case of how to simulate SSO type login authentication using NetScaler HTTP callout without having to rewrite the application.
Challenge:
Assume you are the owner of a legacy web application that is accessed via NetScaler. The web application uses form based login to authenticate the users against credentials stored in a database. Customer wants to migrate to an SAML based SSO solution, however it's not possible to add SAML support to this application.
Old login flow:
Figure1: Old login flow
User issues a GET request to access the web application. NetScaler Proxies the request. Since the user is not authenticated, the user is presented with a login page. User sends its credentials in the POST request. NetScaler proxies the request. Application validates the client credentials and allows access.
Solution:
You can create a new flow using NetScaler rewrite policies, variables and HTTP callout, to allow users to access the web application without providing their credentials thus simulating an SSO type experience. Customer has created a new web service “credential management service” which takes the username of the user and sets a random password for that user in the database.
The new authentication flow using a rewrite policy on NetScaler that simulates an SSO login is shown below.
Figure2: New login flow
New login flow:
Prerequisite:
User is already authenticated via SAML SSO. The application is always accessed using the same NetScaler ADC/HA-Pair. Login Flow:
User issues a GET request to access the web application and passes its username in the request NetScaler issues an HTTP callout to the credential management service and passes the username of the SAML authenticated user in the callout request The credential management service generates a random password for this user and sets this password in the database The credential management service returns the username and password to NetScaler in the callout response NetScaler does the below processing: Modifies the GET request to a POST Adds the response received from the credential service in the body Add “content-length” header set to the length of response received from the credential service Add “content-type” header to indicate that the content is a simple form using the default application/x-www-form-urlencoded content type NetScaler sends the request out to the web server Application validates the credentials and permits the user. NetScaler Configuration:
The new authentication login flow can be achieved by using HTTP callout, variables and rewrite features available in NetScaler
Create a HTTP callout “permit_user” to call the credential management service and pass the username of the user to this service /permituser URI. In our example the customer is passing the username as a query string in the GET request. add policy httpCallout permit_user -IPAddress 10.105.158.236 -port 8081 -returnType TEXT -urlStemExpr "\"/permituser\?\"+HTTP.REQ.URL.QUERY" -scheme http -resultExpr "HTTP.RES.BODY(64000)"
Create a variable “var_callout_response” in NetScaler. The type of this variable is “text”, max length is 64000 and scope is “transaction”. Transaction scope ensures that this variable is available only during the time of this transaction and is destroyed at the end of this transaction. add ns variable var_callout_response -type "text(64000)" -scope transaction
Create an assignment for the “store_callout_response” and set it to the response of the HTTP callout. add ns assignment store_callout_action -variable "$var_callout_response" -set "sys.http_callout(permit_user)"
Create rewrite actions Change the http method from GET to POST add rewrite action act_change_http_method_to_post replace HTTP.REQ.METHOD "\"POST\""
Insert the response of the HTTP callout in the body add rewrite action act_add_callout_response_in_body insert_after "HTTP.REQ.BODY(0)" "$var_callout_response"
Add the “content-length” header add rewrite action act_add_content_length insert_http_header content-length "$var_callout_response.LENGTH"
Add the “content-type” header to indicate form data add rewrite action act_add_content_type insert_http_header content-type "\"application/x-www-form-urlencoded\""
Create a rewrite policy Assign the value to the “var_callout_response” variable by calling the HTTP callout add rewrite policy pol_store_callout_action True store_callout_action
Policy with action for changing the GET method to POST add rewrite policy pol_change_req_method TRUE act_change_http_method_to_post
Policy with action for setting the the callout response in the body add rewrite policy pol_set_callout_body TRUE act_add_callout_response_in_body
Policy with action for setting the content-length add rewrite policy pol_set_content_length TRUE act_add_content_length
Policy with action for setting the content-type add rewrite policy pol_set_content_type TRUE act_add_content_type
Attach the policies to the load balancing virtual server for this application. bind lb vserver "WebApp-VirtSvr" -policyName pol_store_callout_action -priority 100 -gotoPriorityExpression NEXT -type REQUEST
bind lb vserver "WebApp-VirtSvr" -policyName pol_change_req_method -priority 110 -gotoPriorityExpression NEXT -type REQUEST
bind lb vserver "WebApp-VirtSvr" -policyName pol_set_callout_body -priority 120 -gotoPriorityExpression NEXT -type REQUEST
bind lb vserver "WebApp-VirtSvr" -policyName pol_set_content_length -priority 130 -gotoPriorityExpression NEXT -type REQUEST
bind lb vserver "WebApp-VirtSvr" -policyName pol_set_content_type -priority 140 -gotoPriorityExpression END -type REQUEST
- Read more...
- 0 comments
- 656 views