Forum Discussion

Cirrus

Oct 19, 2015

APM multi domain SSO, incorrect timeout URL

Hi, I've set up APM with multidomain SSO. Let's say I have a site "service.mydomain.com" and a login URL "login.mydomain.com". Works fine, I go to service.mydomain.com, I don't have an APM ...

BIG-IP Access Policy Manager (APM)

security

Kevin_Stewart

Employee

Oct 19, 2015

If I may add, while a longer timer is definitely the way to go, here's an iRule solution that will extend the SSO_ORIG_URI across access sessions:

when ACCESS_SESSION_STARTED {
    if { [HTTP::uri] contains "/F5Networks-SSO-Req?SSO_ORIG_URI" } {
        set sid [string range [ACCESS::session sid] [expr [string length [ACCESS::session sid]] -8] end]
        table set -subtable SSO ${sid} [findstr [HTTP::uri] "=" 1]
    }
}
when HTTP_REQUEST {
    if { [HTTP::cookie exists MRHSession] } {
        set sid [string range [HTTP::cookie value MRHSession] [expr [string length [HTTP::cookie value MRHSession]] -8] end]

        if { ( [HTTP::uri] equals "/" ) and ( [HTTP::cookie exists MRHSession] ) and not ( [ACCESS::session exists -sid [HTTP::cookie value MRHSession]] ) and ( [table lookup -subtable SSO ${sid}] ne "" ) } {
            HTTP::respond 302 Location "/F5Networks-SSO-Req?SSO_ORIG_URI=[table lookup -subtable SSO ${sid}]"
            table delete -subtable SSO ${sid}
            unset sid
        }
    }
}

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)