For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

kj07208_118528's avatar
kj07208_118528
Icon for Cirrus rankCirrus
Apr 28, 2014

APM - Redirect without closing the SSO session

I have an access policy that check if a user requested a SAML resource of Box.com and if the user is in an AD group. If the user is not a in the AD group the access policy it goes to a redirect terminal. The biggest issue is I have to have the terminal close the session or I get an error (connection reset) redirecting btw I'm redirecting to the same URL as the APM.

Is the error due to me using the same virtual server to do logins and show error messages?

My login page is https://bxapp.corp.com/My.policy and the redirect page is https://bxapp.corp.com/samlerror/box

I have an iRule that checks the URL for the string samlerror.

 

when HTTP_REQUEST {
    if { [HTTP::uri] contains "samlerror" } {
        log local0. "Saml Error URI-> [HTTP::uri]"
        log local0. "Saml Error PATH-> [HTTP::path]"

        set errorBody "Error connecting using SAML - Single Sign On"
                switch -glob [string tolower [HTTP::path]] {
            "/samlerror/box/*"  {
                log local0. "BOX >> User has no access to box via AD group"
                set errorBody "Your account doesn't have access to Box.com Please contact the IT Service Desk"
            }
            default {
                log local0. "DEFAULT >> Saml Error [HTTP::uri]"
            }
        }

        set htmlBody "SSO Error"
    removed html code
            append htmlBody ""
        append htmlBody $errorBody
        HTTP::respond 200 content $htmlBody
    }
}

 

application delivery
BIG-IP Access Policy Manager (APM)
devops
iRules
security

5 Replies

  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Apr 28, 2014

    Why not end the branch in Deny and put the desired HTML there? You can build custom Deny action boxes, just like you do with redirect...

     

    • kj07208_118528's avatar
      kj07208_118528
      Icon for Cirrus rankCirrus
      Apr 28, 2014
      Because Denies closes the session and I'm using this session as an SSO for other virtual servers. I'm using SAML resources to do this and the access policy defined above is the IdP and I have other SP pointing here. Thanks for the input if you have other suggestions
  • Michael_Koyfman's avatar
    Michael_Koyfman
    Icon for Cirrocumulus rankCirrocumulus
    Apr 28, 2014

    Why not end the branch in Deny and put the desired HTML there? You can build custom Deny action boxes, just like you do with redirect...

     

    • kj07208_118528's avatar
      kj07208_118528
      Icon for Cirrus rankCirrus
      Apr 28, 2014
      Because Denies closes the session and I'm using this session as an SSO for other virtual servers. I'm using SAML resources to do this and the access policy defined above is the IdP and I have other SP pointing here. Thanks for the input if you have other suggestions
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Apr 29, 2014

    How about this:

     

    1. Set the fallback branch of the BR_AccessToBox agent to Allow
    2. Add a variable assignment on the fallback branch and set a custom variable
    3. Use ACCESS_ACL_ALLOWED instead of HTTP_REQUEST to capture the variable and display the message.