Lab 5 – FORMS Based Authentication

In this lab, we will show you how to configure APM to leverage SSO functionality with an application server that uses forms based authentication.


Lab Requirements:

  • BIG-IP with APM licensed and activated
  • Server running AD and Web services
  • Local Host file entries on the Jump Host

Task – Create a Pool

  1. Browse to Local Traffic > Pools and click the ‘+’ next to Pools List to create a new pool.

  2. Name the pool “forms_pool

  3. Assign the monitor “http” by selecting the monitor and moving it to the left.

  4. Add the following new member/node to the pool and click Finished:

    • Node Name: forms, Address:, Service Port: 80


Task – Create a Virtual Server

  1. Browse to Local Traffic > Virtual Servers and click the ‘+’ next to Virtual Server List to create a new one.

  2. Use the following information to create the virtual server and leave the other settings at their default values, then click Finished:

    • Name the pool “forms_vs

    • Destination Address/Mask:

    • Service Port: 443

    • HTTP Profile: http

    • SSL Profile (Client): f5demo

    • Source Address Translation: Auto Map

    • Default Pool: forms_pool

    image45 image46 image47

Task – Testing without APM

Observe the current behavior of the login page without authentication enforced by APM.

  1. Open your web browser and go to You should see a page that looks as follows:


  2. Log in with the following credentials:

    Username: user

    Password: Agility1

    Once successfully logged in you should see a web page similar to the following:


  3. Logout using the link at the top right-hand corner of the page.

Task – Create Access Policy to use with Forms Based Authentication

  1. Open the Wizards > Device Wizards page.

  2. Select Web Application Access Management for Local Traffic Virtual Servers


  3. Click Next

  4. Click Next for Option 1 on the Configuration Options page


  5. Configure Basic Properties for the policy

    1. For Policy Name enter Forms_Access_Policy

    2. Uncheck Enable Antivirus Check in Access Policy


    3. Click Next

  6. Configure the Authentication type used for this new policy

    1. Select Use Existing for the Authentication Options

    2. Select Lab_SSO_AD_Server::Active Directory


    3. Click Next

  7. Configure Single Sign On

    1. Select “Create New” for “SSO Options”

    2. Choose Form Based for the SSO Method

    3. Uncheck the option for “Use SSO Template”

    4. Enter /Account/Login* in the “Start URI” field

    5. Enter /Account/Login in the “Form Action” field

    6. Enter UserName in the “Form Parameter For User Name” field

    7. Enter Password in the “Form Parameter For Password” field


    8. Click Next

  8. Configure Virtual Server

    1. Select Use Existing HTTPS Server

    2. Choose /Common/forms_vs for the Virtual Server


    3. Click Next

  9. Review configuration and click Next

  10. Review the “Setup Summary”, which shows all (existing and new) objects associated with this new policy and click Finished.

  11. Add a logout URI Include to the new access policy

    1. Open the Access > Profiles / Policies > Access Profiles (Per-Session Policies) page

    2. Click on the name of the new policy Forms_Access_Policy

    3. Add/Account/Logout” to the “Logout URI Include” field

    4. Change Logout URI Timeout to 1 second


    5. Click Update

  12. Enable SSO

    1. Click on the “SSO / Auth Domains” tab

    2. For “SSO Configuration”, select Forms_Access_Policy_sso


    3. Click Update

Task – Applying Access Policy Changes

After you create or change an access policy, the link Apply Access Policy appears in yellow at the top left of the BIG-IP Configuration utility screen. You must click this link to activate the access policy for use in your configuration.


  1. Click the Apply Access Policy link, which will bring you to the Apply Access Policy screen, with a list of access policies that have been changed.

  2. Select the new Access Policy and click the Apply button (by default, all access policies that are new or changed are selected).


    After you apply the access policy, the Access Profiles list screen is displayed.

Task – Testing with APM Authentication

Observe the behavior of the login page now that authentication is enforced by APM.

  1. Open your web browser and go back to You should see a page that looks like the following:


  2. Logon with the following credentials:

    Username: user

    Password: Agility1

    Once successfully logged in you will see the same web page observed in task 2:


Task – Testing Logout

Earlier in Task 3, Step 9, we defined a Logout URI Include for this Access Policy. This is a list of logoff URIs that the access profile searches for in order to terminate the Access Policy Manager session. The URI we used was /Account/Logout, and the default logout delay is 5 seconds, which was modified to 1 second.

  1. Logout using the Logout link at the top right-hand corner of the page.
  2. Wait 1 second
  3. Click the Home link in the banner at the top of the page
  4. You should be redirected back to the F5 logon page