For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Tony_Kroukamp_1's avatar
Tony_Kroukamp_1
Icon for Nimbostratus rankNimbostratus
Jun 26, 2015

APM Multi-domain configuration, log off page redirect

Hello

I have a multi-domain SSO configuration set up. If a user logs into an APM protected VS (for example mail.company.com, in this case for OWA), he is redirected to the main portal to authenticate (portal.company.com), then gets redirected to the back end app he initially requested. This works great. Now if this user logs out of OWA, he is displayed the logout page for this app's VS - https://mail.company.com/vdesk/hangup.php3. I would like to have the user redirected to the logout page for the main portal (https://portal.company.com/vdesk/hangup.php3) instead. To make this happen I tried the following iRule, but it doesn't work. It seems that after logout, this URI is not detected.

when ACCESS_ACL_ALLOWED {
  if { [HTTP::uri] equals "/vdesk/hangup.php3" } {
    log local0. "Redirecting to main portal logout page."
    ACCESS::respond 302 Location "https://portal.company.com/vdesk/hangup.php3" Connection close
  }
}

Can anyone give me some advice as to how I can get this to work?

Thanks Tony

application delivery
BIG-IP Access Policy Manager (APM)
devops
iRules
LTM
management
security

4 Replies

  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    Jun 26, 2015

    Can you catch the actual logout url in the iRule and do redirect to the required page?

     

  • Tony_Kroukamp_1's avatar
    Tony_Kroukamp_1
    Icon for Nimbostratus rankNimbostratus
    Jun 29, 2015

    OK, I got this figured out. Since this was a VS for OWA, there already is an iRule that does the redirecting, I just had to modify it slightly. Look for the line below with "https://portal.company.com/" in it.

    when RULE_INIT {
    set static::cookie_sessionid [format "sessionid=null; path=/; Expires=Thurs, 01-Jan-1970 00:00:00 GMT;"]
    set static::cookie_cadata [format "cadata=null; path=/; Expires=Thurs, 01-Jan-1970 00:00:00 GMT;"]
    set static::cookie_usercontext [format "UserContext=null; path=/; Expires=Thurs, 01-Jan-1970 00:00:00 GMT;"]
}

when ACCESS_SESSION_STARTED {
    if { [string tolower [HTTP::uri]] contains "ua=0" } {
        ACCESS::session remove
    }
}

when ACCESS_ACL_ALLOWED {
    set apm_mrhsession [HTTP::cookie value "MRHSession"]
    if { [table lookup $apm_mrhsession] == "EXCHANGE_LOGOUT" } {
        ACCESS::session remove
        table delete $apm_mrhsession
    }
}

when HTTP_REQUEST {
    set isset 0
    if {[string tolower [HTTP::uri]] starts_with "/owa" } {
        if {[string tolower [HTTP::uri]] contains "logoff" } {
            ACCESS::session remove
            HTTP::respond 302 Location "https://portal.company.com/vdesk/hangup.php3" "Set-Cookie" $static::cookie_sessionid "Set-Cookie" 

$static::cookie_cadata "Set-Cookie" $static::cookie_usercontext
        } else {
            if { [string tolower [HTTP::uri]] contains "ua=0" } {
                set mrhsession [HTTP::cookie value "MRHSession"]
                set isset 1
            }
        }
    }
}
when HTTP_RESPONSE {
    if { $isset == 1 } {
        if { $mrhsession != "" && [HTTP::status] == 440 } {
            table set $apm_mrhsession "EXCHANGE_LOGOUT"
            return
        }
    }
}