How to Configure an "Additional Authentication Header" using the LoadMaster for Server Side Authentication using ESP

This articles covers the steps necessary for the configuration of an Additional Authentication Header to be sent to the Real Server for the completion of server side authentication. 

Product: LoadMaster

Version: LTS and above

Platform: Any

Application: Any

If the real server can be configured to accept a unique authentication header as a valid authentication method can the LoadMaster be configured to send the user ID in UPN or SAM account format.

Is it possible to configure the LoadMaster to send an Additional Authentication Header.

Configure a HTTP/HTTPS Virtual Service.

Enable ESP on the Virtual Service and configure it for SAML Authentication.

Under the ESP options the client side authentication mode should be set to "SAML".

The server side authentication mode should be set to "KCD" or "none".

Under the ESP Options Configure the "Additional Authentication header" as the real server would expect it.

The real server should be configured to expect and accept the configured authentication header.

Under the ESP Options the LoadMaster does not support "SAML" authentication client side with "Forms based" authentication configured server side.

For a full list of supported client/server side authentication methods please follow this link.

LoadMaster does support "SAML" authentication client side with "none" configured server side under the ESP options.

Enable ESP on a HTTP/HTTPS Virtual Service with SSL Offloading. (re-encryption is optional)

Configure ESP for "SAML" authentication client side and "KCD" or "none" server side.

Configure the "Additional Authentication Header" with the unique identifier that the real server is configured to accept.

If the Virtual Service along with the ESP Options and the SAML SSO Domain are configured correctly then the LoadMaster will redirect a client to the SAML Identity Provider (IDP) for authentication once the client makes an attempt to connect to the service.

If the SAML Authentication was successfully then the clients UPN or SAM account name will be extracted from the SAML Response and then forwarded to the real server contained in the newly configured "Additional Authentication Header".

Additional Authentication Header:

This option is only available if SAML is selected as the Client Authentication Mode. Specify the name of the HTTP header. This header is added to the HTTP request from the LoadMaster to the Real Server and its value is set to the user ID for the authenticated session. You can enter up to 255 characters in this field.

To verify if the header is working and what format the user name is being forwarded in enable the L7 Debug Trace:

System Configuration --> Logging Options --> System Log Files --> Debug Options --> Enable L7 Debug Trace --> Enable Trace.

Once the L7 Debug trace has been enabled please proceed to do an authentication against the ESP enabled service.

If the User ID was extracted successfully in UPN format then the following log can be observer:

2022-04-30 T15:00:00+00:00 LM01 kernel: L7: ffff8881af84e2d0: l7_add_basicauth: adding header NEW_AUTH_HEADER:user1@domain.com

In the case that User ID needs to be passed in SAM Account format then the following log can be observed:

2022-04-30 T15:00:00+00:00 LM01 kernel: L7: ffff8881aed50a80: l7_add_basicauth: adding header NEW_AUTH_HEADER:user1

To see the above logs go to:

System Configuration --> Logging Options --> System Log Files --> System Message Files --> View

Please note: By default the LoadMaster will pass the User ID in UPN format when extracted form the SAML response.

If the real server only accepts the User ID in SAM account format for successful authentication on the backend real server then you will need to disable the UPN related claims on your SAML IDP provider.

For more information about SAML and and its configuration please referrer to the following link.

SAML Configuration Guide

ESP Feature Description