Forum Discussion
NimbostratusF5 configured SP initiated SAML Authentication causing multiple Redirects
F5 configured (source-ip based) to talk to 2 IBM HTTP Servers and webservers are loadbalancing using Traditional loadbalancing (Round-Robin) and routing requests to 8 JVMs of a Websphere ND Cluster. 2 Applications are deployed with context root /maximo and /saml/acs on the same cluster.
When SAML Authentication is triggered via F5. We have 2 scenarios to take care
F5 :- HTTPSOFFLOAD is enabled with end to end validation using HTTPS only
1. https://abc.com/maximo
URL loads successfully. No issues in Authentication to SAML. When loaded follows below path
1) Incognito Browser(User) requests resource from Service Provider (SP).
2) SP Redirects (with SAML Request) to Identity Provider (microsoft-entra).
3) Since it is first login, User gives the (IdP) his/her valid credentials.
4) IdP then redirects Browser (with SAML Response which includes SAML token) to the SP page.
5) User receives the landing page.
THIS IS WORKING
2. https://abc.com/maximo/ui/?event=loadapp&value=asset&changetab=viewtab&uniquid=123455
1) Incognito Browser(User) requests resource from Service Provider (SP).
2) SP Redirects (with SAML Request) to Identity Provider (microsoft-entra).
3) Since it is first login, User gives the (IdP) his/her valid credentials.
4) IdP then redirects Browser (with SAML Response which includes SAML token) to the SP page.
5) Cannot find the resource and SP Redirects (with SAML Request) to Identity Provider (microsoft-entra).
6) IdP then redirects Browser (with SAML Response which includes SAML token) to the SP page.
7) Cannot find the resource and SP Redirects (with SAML Request) to Identity Provider (microsoft-entra).
Keeps redirecting multiple times and Finally timeout is hit and doesnot respond at all. It keeps redirecting when long URL is challenged.
Do we need to have special irules to retain JSESSIONID state or WAS - I see this is an issue with respect to Cookie persistence
13 Replies
- Injeyan_Kostas
Nacreous
Persistence based on JSESSIONID will most probably solve your issue.
you will need universal persistence for this
have a look here https://my.f5.com/manage/s/article/K7392 
LohitThanks for the response.
We have 2 applications deployed in Cluster. (F5 is fronending it)
1. Maximo (https://abc.com/maximo) --- Session management enabled with Cookie (JSESSIONID)
2. WebsphereISP (AcS Assertion with Entra). The assertion URL within websphere security is configured as https://abc.com/samlsps/acs. --- Session management enabled with Cookie (JSESSIONIDSAML)
SAML flow is mentioned as per the below link.
https://www.ibm.com/docs/en/was/9.0.5?topic=sign-saml-single-scenarios-features-limitations
https://www.ibm.com/docs/en/was/9.0.5?topic=swss-enabling-saml-sp-initiated-web-single-sign-sso
The problem what i feel is when we hit LB URL (1) it routes to a particular JVM and then again to initiate Assertion authentication with Entra we are using (2). During this flow i believe , JSESSIONID is lost between Entra and Application.
DO you think your solution should still work in this case?
- Injeyan_Kostas
If JSESSIONID is not included probably not.
If you leave only one Http server available, the same to both pools, does it work?- Lohit
I can enforce JSESSIONID same as both.. But with that as well the problems persisted earlier. If 1 HTTP Server is up and running, The redirect is still happening but response is better compared to previous case.
- Lohit
- The client accesses a protected business application without first authenticating to the IdP or to the application server.
- The application server intercepts the request based on configured filter definitions.
- The application server stores the value of the original request URL on a cookie called WasSamlSpReqUrl.
- The application server redirects the client to the IdP login page that is configured on the sso_<id>.sp.login.error.page custom property.
- Authentication continues following the IdP-initiated SSO flow.
- The user authenticates to the IdP.
- The IdP redirects the client to the Assertion Consumer Service (ACS) (https://abc.com/samlsps/acs) on the WebSphere Application Server by sending a SAML response over HTTP POST.
- The application server processes the SAML response and creates a security context.
- The application server adds an LTPA cookie to the HTTP response.
- The application server uses the value of the WasSamlSpReqUrl cookie to redirect the client to the original request URL. (https://abc.com/maximo)
- Injeyan_Kostas
ok but what does /maximo expects to let you in?
the LTPA cookie?
- Lohit
To the actual application landing page . Yes.
End User access into the actual application using that LTPA Cookie -------- .https://abc.com/maximo
End user is not bothered about this -------------- https://abc.com/samlsps/acs
- Injeyan_Kostas
Are you sure https://abc.com/maximo/ui/?event=loadapp&value=asset&changetab=viewtab&uniquid=123455 exists?
do you have any logs from the http server?- Lohit
Yes. It exists..... I can access the application multiple ways.
https://abc.com/maximo/ui ----- Default Landing Page
I cannot share the logs from HTTP Server due to security.. I am sorry .. :( .. Is there any other debug process would you like to advice.
- Lohit
Should i still consider this as per your suggestion ? have a look here https://my.f5.com/manage/s/article/K7392
- Injeyan_Kostas
you can try, but as said if you have the same issue even with one active pool member persistence is not your problem.
