APM - Multi-domain SSO - problem with trailing &

Question

Hi,&nbsp;
Can somebody using APM with Multi domain SSO do me a favor and test something? I seem to be running into a problem when the Original URL that's requested ends with &amp;&nbsp;
Normally:&nbsp;
You ask for the content Virtual ServerRedirect to Login VS with an URI like /F5Networks-SSO-Req?SSO_ORIG_URI=[encoded Original url]Get redirected to content VS with an URI like /F5Networks-SSO-Resp?SSO_ORIG_URI=...
Now, when my Original URL ends with &amp;, I get the steps above twice! And also, the second time around, the Original URL is decoded when I get back in step 3. Resulting in a massive fail and &nbsp;
Nov 10 13:06:22 f5cmiprod err tmm[2212]: 01490514:3: 00000000: Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_multidomain_sso_decode_redirect_uri, Line: 11746
Nov 10 13:06:22 f5cmiprod err tmm[2212]: 01490514:3: 00000000: Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_check_uri_type, Line: 10565&nbsp;
So, can somebody try this? Just add an &amp; to your URL at the end.&nbsp;
Tx
Vincent&nbsp;

lucas_thompson_ · Answer

You're likely encountering bug ID 428268, documented here:
http://support.f5.com/kb/en-us/solutions/public/15000/400/sol15445.html
If you like, you can submit a request to Support to get a build with the fix for it. This issue is not resolved in any release or hotfix yet. Note that the trailing ampersand probably isn't required by the web server (it's the CGI delimiter) so you could probably just get rid of it. You could work around it by using an irule like this on your virtual:
 workaround for F5 bug ID 428268
 if the URI has unusual format in CGI parameters (trailing ampersand), fix it up

when CLIENT_ACCEPTED {
  ACCESS::restrict_irule_events disable
}

when HTTP_REQUEST {
  if { [HTTP::uri] ends_with "&amp;" } {
    log local0. "Redirecting user to get rid of ampersand"
    HTTP::respond 302 Location [string range [HTTP::uri] 0 "end-1"]
  }
}

vinne73 · Answer

Yes this seems to be my problem. The "Applies to" needs to be updated because I run on 11.6. I guess the problem is not fixed yet.

About the problem: it should be none of the BigIP's business what the Original URL is, and if it's properly formatted or not but that's just my opinion ;)

lucas_thompson_ · Answer

It's an acknowledged defect and will be fixed shortly. The system must parse this URI value because it's transformed into two different forms of redirect URL, one for the end policy redirect and one for the 302 multidomain bounce-back cookie setting implementation. It's just that the parser isn't flexible enough to parse unparsable things where the values don't conform to the CGI specification in RFC 3875.

Forum Discussion

APM - Multi-domain SSO - problem with trailing &

Recent Discussions

APM webtop customization header message

Installing a PKCS 12 File onto an F5 Device

Irule to allow specific IPs

Uploading SKCS 12 File to F5 Device

F5 not Identifying Parameter in Text/Plain Upload

Related Content

GTM configuration for multi domain

Source_Addr Persistence Problems

multi-domain with client-ssl profile set using SNI option

Problem about Export imformation to Excel

iRule to Add Trailing Slash Except for Extensions