apm sso form-basedv2

apm sso form-basedv2(1)       BIG-IP TMSH Manual       apm sso form-basedv2(1)



NAME
       form-basedv2 - Configures a single sign-on form-basedv2 configuration
       object.

MODULE
       apm sso

SYNTAX
       Configure the form-basedv2 component within the sso module using the
       syntax shown in the following sections.

   CREATE/MODIFY
	create form-basedv2 [name]
	  options:
	    app-service [[string] | none]
	    forms [add | replace-all-with] {
	      [name] {
		request-value [URIs]
		controls [add | replace-all-with] {
		  [name] {
		    value [string]
		  }
		}
	      }
	    }

	modify form-basedv2 [name]
	  options:
	    apm-log-config [[string] | none]
	    app-service [[string] | none]
	    forms [add | delete | modify | replace-all-with] {
	      [name] {
		options:
		  app-service [[string] | none]
		  attribute-value [[string] | none]
		  controls [add | delete | modify | replace-all-with] {
		    [name] {
		      options:
			app-service [[string] | none]
			secure [true | false]
			value [string]
		    }
		  }
		  description [[string] | none]
		  form-order [integer]
		  id-type [action | id | inputs | name | order]
		  request-method [get | post]
		  request-name [[string] | none]
		  request-negative [true | false]
		  request-prefix [true | false]
		  request-type [cookie | header | uri]
		  request-value [[string] | none]
		  submit-autodetect [true | false]
		  submit-javascript [[string] | none]
		  submit-javascript-type [auto | custom | extra]
		  submit-method post
		  submit-name [[string] | none]
		  submit-negative [true | false]
		  submit-prefix [true | false]
		  submit-type [cookie | header | uri]
		  submit-value [[string] | none]
		  success-match-type [cookie | none | url]
		  success-match-value [[string] | none]
	      }
	    }
	    headers [add | delete | modify | none | replace-all-with] {
	      [name] {
		options:
		  app-service [[string] | none]
		  description [[string] | none]
		  name [string]
		  value [string]
	      }
	    }
	    log-level [alert | crit | debug | emerg | err | info | notice | warn]

	edit form-basedv2 [ [ [name] | [glob] | [regex] ] ... ]
	  options:
	    all-properties
	    non-default-properties

	reset-stats
	reset-stats [ [ [name] | [glob] | [regex] ] ... ]

   DISPLAY
	list form-basedv2
	list form-basedv2 [ [ [name] | [glob] | [regex] ] ... ]
	show running-config form-basedv2
	show running-config form-basedv2 [ [ [name] | [glob] |
				    [regex] ] ... ]
	  options:
	    all-properties
	    non-default-properties
	    one-line
	    partition

	show form-basedv2
	show form-basedv2 [name]

   DELETE
	delete form-basedv2 [name]

DESCRIPTION
       You can use the form-basedv2 component to configure an SSO form-basedv2
       configuration object. When creating a new SSO form-based v2
       configuration object, you must add at least one forms item and within
       it at least one controls item. You must also provide a value for the
       request-value option in the forms item.

       The SSOv2 module identifies and processes two types of application HTTP
       requests - logon page requests and credentials submit requests. Logon
       page requests are identified using the request- set of options.
       Credentials submit requests, in most cases, are identified
       automatically. When this fails, you can set the submit-autodetect
       option to false and use the submit- set of options to identify these
       requests.

       When the SSOv2 module identifies a logon page request, it scans the
       response trying to find the logon form. If the logon form is found,
       SSOv2 inserts a JavaScript code that will cause the logon form to be
       submitted automatically by the browser. The client must support
       JavaScript.

       When the SSOv2 module identifies a credentials submit request, it
       compares POST data parameter names with form controls defined in the
       configuration. For a POST data parameter name that has a corresponding
       form control, the SSOv2 module replaces its value with the control
       value from the configuration. Control values are usually supplied
       through session variables, such as session.sso.token.last.username and
       session.sso.token.last.password. POST data parameters that have no
       corresponding controls in the configuration are not changed.

       The majority of web applications have a single logon page with one
       logon form. You will need to define a single forms item for these
       applications. In rare cases when an application has multiple logon
       pages with different logon forms, you will need to create multiple
       forms items, one for each logon page/form. If multiple logon pages use
       the same form, you will need only one forms item with a list of URIs
       for all logon pages.

       Every forms item must include at least one controls item, and can
       include up to 32 controls items. Each controls item represents an input
       element of an HTML logon form, such as form fields for entering
       username and password, and, optionally, any hidden form parameters. The
       name of the controls item must match the name attribute of the
       corresponding input tag of the form. For example, if the form has the
       following HTML tag for entering the username:

	   

       the forms item must include a controls item with the name
       Bugzilla_login. The controls item used for entering the user's password
       must have the secure option set to true. The value of a control item
       should usually be the name of a session variable, starting with the
       percent (%) sign and enclosed in curly braces ({}); for example, the
       value for the username control item:
       %{session.sso.token.last.username}. The value can also be a string, or
       a combination of strings and session variable names.

EXAMPLES
       create form-basedv2 fbssov2-owa2010 { forms add { owa2010 { controls
       add { password { secure true value %\{session.sso.token.last.password\}
       } username { value  %\{session.sso.token.last.username\} } } request-
       value /owa/auth/logon.aspx\?replaceCurrent=1 submit-javascript clkLgn()
       submit-javascript-type extra success-match-type cookie success-match-
       value sessionid } } }

       Creates an SSO form-basedv2 configuration object named fbssov2-owa2010.

       delete fbsso-owa2010

       Deletes an SSO form-basedv2 configuration object named fbssov2-owa2010.

OPTIONS
       app-service
	    Specifies the name of the application service to which the object
	    belongs. The default value is none. Note: If the strict-updates
	    option is enabled on the application service that owns the object,
	    you cannot modify or delete the object. Only the application
	    service can modify or delete the object.

       forms
	    Specifies one or more items, each defining SSO processing of a
	    separate application logon form.

       [name]
	    Specifies the name of the form item. It does not have to match the
	    actual name of the HTML form and can be arbitrary.

	    The options are:

	    app-service
		 Specifies the name of the application service to which the
		 form item belongs. The default value is none. Note: If the
		 strict-updates option is enabled on the application service
		 that owns the object, you cannot modify or delete the form
		 item. Only the application service can modify or delete the
		 form item.

	    attribute-value
		 Specifies the value of the HTML 
 tag attribute used to
		 identify the logon form. The attribute could be id, name, or
		 action, and is specified by the id-type option. For other
		 values of the id-type option, this is not used and should be
		 set to none.

	    controls
		 Specifies one or more form control items (up to 32) that you
		 want to be processed by SSOv2.

       [name]
	    Specifies the name of the HTML form control item. It must match
	    the name attribute value of the HTML form's input tag.

	    The options are:

	    app-service
		 Specifies the name of the application service to which the
		 control item belongs. The default value is none. Note: If the
		 strict-updates option is enabled on the application service
		 that owns the object, you cannot modify or delete the control
		 item. Only the application service can modify or delete the
		 control item.

	    secure
		 Specifies whether the control item represents the HTML input
		 tag of type "password". The default is false.

	    value
		 Specifies the value of the control item. This is usually the
		 name of a session variable. If the session variable is not
		 found when the SSO request is processed, the value of the
		 corresponding POST parameter will be empty. The value could
		 also be a literal string or a combination of strings and
		 session variable names.

       description
	    User-defined description.

       form-order
	    Specifies the order of the HTML logon form on the logon page when
	    the id-type option is set to order. Starts with 1.

       id-type
	    Specifies how the HTML logon form is found in the HTML body of the
	    logon page. If there is more than one form on the logon page
	    matching the criteria, the first match is used. The default is
	    inputs.

	    The options are:

	    action
		 The logon form is identified by the value of the  tag
		 in the action attribute. The value is specified in the
		 attribute-value option.

	    id	 The logon form is identified by the id attribute's value of
		 the  tag. The value is specified in the attribute-value
		 option.

	    name The logon form is identified by the name attribute's value of
		 the  tag. The value is specified in the attribute-value
		 option.

	    order
		 The logon form is identified by its relative order on the
		 logon page (starting from 1). The order is specified in the
		 form-order option.

	    inputs
		 The logon form is identified by a combination of controls
		 items. The controls in the configuration must have
		 corresponding  elements in the form.

       request-method
	    Specifies the HTTP method of the application's request returning
	    logon page. Default is get.

       request-name
	    Specifies the name of the HTTP cookie or the name of the HTTP
	    header used to identify application's request for logon page. The
	    cookie or header is selected by the request-type option. The value
	    of the cookie or header is specified by the request-value option.
	    When the request-type option is set to uri, this option is not
	    used and should be set to none.

       request-negative
	    When set to true, the application's request for logon page will be
	    identified by the absence of the specified cookie or header, or by
	    a failed match against the list of specified URIs. The default is
	    false.

       request-prefix
	    Specifies how the value of the request-value option will be used
	    to match one of the HTTP request cookie, header, or URI. The
	    default is true and specifies a partial match; false specifies an
	    exact match.

       request-type
	    Specifies which element of the HTTP request headers is used to
	    identify the application's request for logon page. The default is
	    uri.

	    The options are:

	    cookie
		 The request is identified by the presence (or absence) of a
		 cookie. The name and value of the cookie are specified by the
		 request-name and request-value options.

	    header
		 The request is identified by the presence (or absence) of the
		 HTTP header. The name and value of the header are specified
		 by the request-name and request-value options.

	    uri  The request is identified by a successful (or failed) match
		 against a list of URIs specified by the request-value option,
		 and the request-name option is not used.

       request-value
	    Specifies the value of the HTTP request element that must be
	    matched to identify the request as the application's request for
	    the logon page. This is one of: the cookie value, the header
	    value, or a list of URIs (one per line) as specified by the
	    request-type option. Cookie or header value could be set to none,
	    in which case only the presence of the named cookie or header is
	    checked and the value is not checked. When checking for URI, the
	    value must be specified.

       submit-autodetect
	    When set to true, the application's HTTP request that submits the
	    user's credentials will be identified automatically and other
	    submit- options should not be used. When false, the form submit
	    will be identified using a combination of other submit- options.
	    The default is true.

       submit-javascript
	    Specifies user-provided JavaScript code to be inserted into the
	    logon page to perform automatic form submission when the submit-
	    javascript-type option is set to custom. The custom JavaScript
	    code replaces the code automatically generated by the SSOv2
	    module. When the submit-javascript-type option is set to extra, it
	    specifies the application's JavaScript functions to call from the
	    automatically generated JavaScript code prior to submitting a
	    logon form. When the submit-javascript-type option is set to auto,
	    this option should be set to none.

       submit-javascript-type
	    Specifies the type of JavaScript code to be inserted into the
	    logon page by the SSOv2 module to perform automatic logon form
	    submission.

	    The options are:

	    auto JavaScript code is automatically generated by the SSOv2
		 module.

	    custom
		 JavaScript code is provided by the user in the submit-
		 javascript option.

	    extra
		 JavaScript code is automatically generated by the SSOv2
		 module, and additional JavaScript code provided by the user
		 in the submit-javascript option is inserted before the form
		 submit statement.

       submit-method
	    Specifies the HTTP method of credentials submit request for the
	    application. This must be set to post. This option is not used
	    when submit-autodetect is true.

       submit-name
	    Specifies the name of the HTTP cookie or the name of HTTP header
	    used to identify credentials submit request for the application.
	    The cookie or header is selected by the submit-type option. The
	    value of the cookie or header is specified by the submit-value
	    option. When the submit-type option is set to uri, this option is
	    not used and should be set to none. This option is not used when
	    submit-autodetect is true.

       submit-negative
	    When set to true, the credentials submit request for the
	    application is identified by the absence of a specified cookie or
	    header, or by a failed match against the list of specified URIs.
	    The default is false. This option is not used when submit-
	    autodetect is true.

       submit-prefix
	    Specifies how the value of the submit-value option will be used to
	    match the HTTP request cookie, header, or URI. The default is true
	    and specifies partial match; false specifies exact match. This
	    option is not used when submit-autodetect is true.

       submit-type
	    Specifies which element of HTTP request headers is used to
	    identify the credentials submit request for the application. The
	    default is uri. This option is not used when submit-autodetect is
	    true.

	    The options are:

	    cookie
		 The request is identified by the presence (or absence) of a
		 cookie. The name and value of the cookie are specified by the
		 submit-name and submit-value options.

	    header
		 The request is identified by the presence (or absence) of the
		 HTTP header. The name and value of the header are specified
		 by the submit-name and submit-value options.

	    uri  The request is identified by a successful (or failed) match
		 against a list of URIs specified by the submit-value option
		 and the submit-name option is not used.

       submit-value
	    Specifies the value of the HTTP request element that must be
	    matched to identify the request as a credentials submit request
	    for the application. This is one of: the cookie value, the header
	    value, or a list of URIs (one per line) as specified by the
	    submit-type option. Cookie or header value could be set to none,
	    in which case only the presence of the named cookie or header is
	    checked and the value is not checked. When checking for URI, the
	    value must be specified. This option is not used when submit-
	    autodetect is true.

       success-match-type
	    Specifies how the SSOv2 module detects whether the credentials
	    submit request was successful. When the SSOv2 module detects that
	    the credentials submission failed, the SSOv2 configuration used
	    for this HTTP transaction is disabled for the user session. If you
	    specify a value for this option, you must also specify a value for
	    success-match-value. The default is none. The options are:

	    url  Credentials submission was successful if the response
		 contains the HTTP Location header with a value matching one
		 of the URLs specified by the success-match-value option.

	    cookie
		 Credentials submission was successful if the response
		 contains the HTTP cookie with the name specified by the
		 success-match-value option.

	    none No check is performed. If SSO logon fails and the application
		 server redirects back to the logon page that matches the
		 criteria of the logon page request, SSO will be retried,
		 possibly causing authentication loop.

       success-match-value
	    Specifies the value used to detect the success or failure of the
	    SSO logon. When the success-match-type option is set to url, this
	    is a list of URLs. Each URL in the list can contain a single
	    wildcard character (*). When the success-match-type option is set
	    to cookie, this option specifies the name of the cookie. The
	    default is none.

       headers
	    Specifies the name and value of the HTTP header to be inserted in
	    an HTTP Request that passes through the APM SSOv2 module.

       [name]
	    Specifies the name of the headers item.

	    The options are:

	    app-service
		 Specifies the name of the application service to which the
		 HTTP header belongs. The default value is none. Note: If the
		 strict-updates option is enabled on the application service
		 that owns the object, you cannot modify or delete the HTTP
		 header. Only the application service can modify or delete the
		 HTTP header.

	    name Specifies the name of the HTTP header.

	    value
		 Specifies the value of the HTTP header.

       apm-log-config
	    Specifies log-setting object to associate with this sso. If this
	    value is empty, logging framework uses log-setting configuration
	    associated with the access profile where sso is used.

       log-level
	    log-level is deprecated. Instead use apm-log-config to customize
	    log-setting.

SEE ALSO
       basic, kerberos, ntlmv1, ntlmv2, form-based

COPYRIGHT
       No part of this program may be reproduced or transmitted in any form or
       by any means, electronic or mechanical, including photocopying,
       recording, or information storage and retrieval systems, for any
       purpose other than the purchaser's personal use, without the express
       written permission of F5 Networks, Inc.

       F5 Networks and BIG-IP (c) Copyright 2012-2013, 2016. All rights
       reserved.



BIG-IP				  2016-09-28	       apm sso form-basedv2(1)