How to create a LTPA session cookie for Lotus Domino using F5 BIG-IP
June 16th, 2009I have previously blogged about how to create a LTPA session cookie for Lotus Domino and now I am finally able to present the code for creating this LTPA cookie that can be implemented on the F5 BIG-IP platform using the F5 iRules Control Language (which builds upon the Tcl scripting language). I created the code by going through a Java library for creating a LTPA cooke created by Miha Vitorovič.
The F5 iRule code is available for you to download - you just need to add the code necessary to do authentication of the user. Check F5 DevCentral for examples on this - for instance this iRule example that does reverse proxy with basic SSO.
Update: Based on this blog post I have created an article on this in the Lotus Notes & Domino wiki per request from Joyce Davis.
The following shows the actual code:
when RULE_INIT {
set cookie_name "LtpaToken" # Don't change this
set ltpa_version "\x00\x01\x02\x03" # Don't change this
set ltpa_secret "b64encodedsecretkey" # Set this to the LTPA secrey key from your Lotus Domino LTPA configuration
set ltpa_timeout "1800" # Set this to the timeout value from your Lotus Domino LTPA configuration
}
when HTTP_REQUEST {
#
# Do your usual F5 HTTP authentication here
#
# Initial values
set creation_time_temp [clock seconds]
set creation_time [format %X $creation_time_temp]
set expr_time_temp [expr { $creation_time_temp + $::ltpa_timeout}]
set expr_time [format %X $expr_time_temp]
set username [HTTP::username]
set ltpa_secret_decode [b64decode $::ltpa_secret]
# First part of token
set cookie_data_raw {}
append cookie_data_raw $::ltpa_version
append cookie_data_raw $creation_time
append cookie_data_raw $expr_time
append cookie_data_raw $username
append cookie_data_raw $ltpa_secret_decode
# SHA1 of first part of token
set sha_cookie_raw [sha1 $cookie_data_raw]
# Final not yet encoded token
set ltpa_token_raw {}
append ltpa_token_raw $::ltpa_version
append ltpa_token_raw $creation_time
append ltpa_token_raw $expr_time
append ltpa_token_raw $username
append ltpa_token_raw $sha_cookie_raw
# Final Base64 encoded token
set ltpa_token_final [b64encode $ltpa_token_raw]
# Insert the cookie
HTTP::cookie insert name $::cookie_name value $ltpa_token_final
}
# Remove Authorization HTTP header to avoid using basic authentication
if { [HTTP::header exists "Authorization"] } {
HTTP::header remove "Authorization"
}
}
Tags: F5 BIG-IP, F5 iRules, Lotus Domino, LTPA, single sign-on
I am an independent web developer at 
November 3rd, 2011 at 02:25
Hi,
Recently I've picked up your code to use in conjunction with a VPN appliance. You login to the appliance, it authenticates you and forwards the username to an F5, which runs your script to generate a token / cookie using that username and the LTPA secret.
This is all working, however on the Domino server the log shows an error message that the token needs to be renewed, so somewhere there are time issues, and when we manually make the time acceptable, we get an error that the token does not begin with a '0'. Have you run into this or similar issues? So somehow the code seems to be producing an invalid token. Any advice would be appreciated.
November 3rd, 2011 at 20:41
Hi Steve, I have not seen this issue before.
In a totally different context (not related to F5 and LTPA) I've seen issues with MD5 where I needed to pad the MD5 string with leading 0s. So a wild guess is that maybe you need to pad e.g. the result of the SHA function with 0s?
November 16th, 2011 at 01:53
Hi Steve,
Have a look at http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/2158723/showtab/groupforums/Default.aspx
That may help solve your issue.
November 17th, 2011 at 22:42
Jeff, thanks for helping sort out the issue that Steve is having.