APM redirect to /my.policy stripping POST data

Question

I have a condition where an unauthenticated user sends a POST request to a F5 virtual server running Access Policy. As part of the authentication process, the F5 redirects the original POST to /my.policy which, in turn, responds with HTML that contains a

tjp · Answer

Some of the question was truncated.

The question was:

I have a condition where an unauthenticated user sends a POST request to a F5 virtual server running Access Policy. As part of the authentication process, the F5 redirects the original POST to /my.policy which, in turn, responds with HTML that contains a HTML form that gets automatically submitted requesting the original content. This time without the POST data! Has anyone encountered this?

max_q_factor · Answer

That is a feature. Lots of people have issues like that with SAML and APM.&nbsp;

andy_turner · Answer

I have this exact same issue with our Shibboleth IdP. The SAMLRequest is in the POST data section of the HTTP request prior to redirect and log in to APM. After log in to APM, it's gone.

Users who already have an APM session prior to visiting the SAML protected site get in fine since the POST data is never stripped.

Has anyone managed to fix this or found a workaround that still uses the POST data e.g. capturing it pre APM page and injecting it back in afterwards?

I've just raised a support call anyway to try and get a resolution.

thi · Answer

When an unauthenticated user is requesting a page protected by APM, say GET / , then APM sets up a session (sets session cookies etc) and does a 302 redirect to /my.policy, where the interactive authentication occurs. After successful authentication there is another 302 redirect to the requested page or whatever is in the APM Policy flow. Now in this scenario, if the user initially sends a POST request with form data (in the payload), the initial 302 redirect does not preserve it. &nbsp;
Losing POST data is normal behaviour for 302 redirects, 302 also changes the http method to GET. A 307 redirect would preserve method and the POST data. I believe the 302 redirect is built in by design for the interactive authentication.&nbsp;
There is a way to avoid the 302 redirects using clientless-mode header in the request. But this is typically used with a non-browser client like a client application. There the request needs to have clientless-mode: 1 header. I believe the authentication needs to be done by other than interactive means in this case. I have only used 401 to invoke the client to send the credentials in Authorization header to APM in clientless mode. The credentials are stored in session variables for further use towards the server if needed, like in normal interactive authentication.&nbsp;

vinne73_96575 · Answer

Andy, did you get any answer to your support call?&nbsp;
Same problem here: initial POST to an unauthenticated user, and all POST data is lost forever.&nbsp;

Forum Discussion

APM redirect to /my.policy stripping POST data

8 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

F5 Networks F5CAB1 Exam - Need Help Regarding Prep

Username is not filled in EdgeClient in the Modern customization

The GSLB pool is providing an incorrect IP to end users

iRule causing requests to be duplicated (sometimes)

Cisco TACACS+ Config on ISE LTM Pair

Related Content

F5 HTTPS Redirect 2025

Rewriting Redirects

(HTTP) Redirection via Arbitrary Host Header

Anchor Link Redirect

BIG-IP Solutions: Simple URL Redirects

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS