I have two different web applications that make requests to domain names other than themselves. For example, x.domain.com makes a request to y.domain.com to retrieve certain data. The user is authenticated through APM, and we are using a multidomain sso. The problem is that when the request is sent, BIG-IP will make an redirect to /my.policy and finally to /my.logout.php3?errorcode=19. I've tried the workaround with this irule: https://devcentral.f5.com/s/articles/cors-implementation but it does not solve the issue. The APM still not allow the request to reach its destination. My only workaround is to let these requests go to a "public VIP", only with ASM as protection, but I want it to go through APM and the same VIP as the original site that is already authenticated. Thanks! Johan

Hi Johan, Sounds like you are a step further at least! (just not with a working solution yet ;) It sounds to me that there may be some entries missing from the Authentication Domains settings. Can you confirm that the Auth Domains tab looks similar to this one: Also, in your reponse you mention a redirect to z.example.se - not sure if that is a typo and you mean z.example.COM or if this is a different domain, but either way ensure that this domain is also part of the Auth Domain list. Let me know how you get on!

Hi Johan, Do I understand it correctly that the backend server of the first web application (the server hosting x.domain.com) needs to reach y.domain.com in order to gather some information it needs to complete a request for the client? If so, do you need that backend server to log in to the APM policy, or do you just need it to be able to reach the backend system? If you just need the backend system to gain access to the application, you could put in an agent in the APM policy BEFORE it gets to the login page? This agent can then check if the request is coming from a specific IP, or some other way in which you can identify that it is this server. If so, you can then bypass the login page and go straight through to the "Allow". Of course, do ensure there is no other way anyone could exploit that ;) Hope this helps.

Hmm, not quite, I think. Isnt it the client who makes the acctual call to the backend server, y.domain.com? x.domain.com responds with a 302 to the client with a new location header and the client trying to make a new request to the new location? In your scenario, x.domain.com makes the acctual request to y.domain.com in the back, right?But if there is way to accomplish that instead, im in! :) but im not sure how to do that really.. Best regards,Johan

I can see now that my original question can be interpreted exactly as you did.

Ahyes, that's another way indeed - there are many ways in which you can get multiple components from different sources. In that case, I think this is what you are looking for: https://techdocs.f5.com/en-us/bigip-14-0-0/big-ip-access-policy-manager-authentication-and-single-sign-on-14-0-0/single-sign-on-and-multi-domain-support.html You can configure the APM policy to be working for multiple domains, but only have a single login. Check under the heading "Configuring an access policy for SSO multi-domain support" for the exact instructions. Basically you tell the policy to look out for requests for any of the following domains. In your case you configure the multi-domains as x.example.com and y.example.com, with probably x.example.com as your main authentication URL. You then attach the same APM policy to both virtual servers (x. and y.) and let the user go to either one. If the user is not logged in yet and goes to y., they will be redirected to the primary authentication URL (x. in the above example) for login, and then get redirected back to y. for the content. If the user first goes to x., they will log in first, then get redirected by the backend to y., which will check over the session details and allows it through without showing the login page again. Hope this makes sense (..and works! ;)

Cors preflight requests problem

AlexBCT
Cumulonimbus
May 06, 2021
Hi Johan,

Do I understand it correctly that the backend server of the first web application (the server hosting x.domain.com) needs to reach y.domain.com in order to gather some information it needs to complete a request for the client?

If so, do you need that backend server to log in to the APM policy, or do you just need it to be able to reach the backend system? If you just need the backend system to gain access to the application, you could put in an agent in the APM policy BEFORE it gets to the login page? This agent can then check if the request is coming from a specific IP, or some other way in which you can identify that it is this server. If so, you can then bypass the login page and go straight through to the "Allow".

Of course, do ensure there is no other way anyone could exploit that ;)

Hope this helps.
- Johan_Lång
  Cirrus
  May 07, 2021
  Hmm, not quite, I think.
  
  Isnt it the client who makes the acctual call to the backend server, y.domain.com?
  x.domain.com responds with a 302 to the client with a new location header and the client trying to make a new request to the new location?
  
  In your scenario, x.domain.com makes the acctual request to y.domain.com in the back, right?
  But if there is way to accomplish that instead, im in! :) but im not sure how to do that really..
  
  Best regards,
  Johan
  - AlexBCT
    Cumulonimbus
    May 07, 2021
    Ahyes, that's another way indeed - there are many ways in which you can get multiple components from different sources.
    
    In that case, I think this is what you are looking for: https://techdocs.f5.com/en-us/bigip-14-0-0/big-ip-access-policy-manager-authentication-and-single-sign-on-14-0-0/single-sign-on-and-multi-domain-support.html You can configure the APM policy to be working for multiple domains, but only have a single login. Check under the heading "Configuring an access policy for SSO multi-domain support" for the exact instructions.
    
    Basically you tell the policy to look out for requests for any of the following domains. In your case you configure the multi-domains as x.example.com and y.example.com, with probably x.example.com as your main authentication URL. You then attach the same APM policy to both virtual servers (x. and y.) and let the user go to either one. If the user is not logged in yet and goes to y., they will be redirected to the primary authentication URL (x. in the above example) for login, and then get redirected back to y. for the content. If the user first goes to x., they will log in first, then get redirected by the backend to y., which will check over the session details and allows it through without showing the login page again.
    
    Hope this makes sense (..and works! ;)
- Johan_Lång
  Cirrus
  May 07, 2021
  I can see now that my original question can be interpreted exactly as you did.
samstep
Cirrocumulus
Jul 21, 2021
if you are using ASM it might be the culprit, check this:

Bug ID 746394: With ASM CORS set to 'Disabled' it strips all CORS headers in response.

https://cdn.f5.com/product/bugtracker/ID746394.html

Also if y.domain.com where your request is landing has an ASM policy in blocking mode please do check that OPTIONS method is not blocked in ASM policy (it is blocked by default)
- Johan_Lång
  Cirrus
  Jul 22, 2021
  Thanks for your reply, unfortunately we´re not using ASM together with APM.
  /Johan

Forum Discussion

Cors preflight requests problem

Recent Discussions

how to whitelist new source IP on F5 web UI access

F5 to read a combined CRL file

Upgrade F5 BIGIP

ISP Load Balancing, SNAT pool instead of Automap link self-ip, anyway to do health check ?

MAC address of deleted VS IP address still responsive

Related Content

C3D first request problem

Source_Addr Persistence Problems

Logging of DNS Requests and Responses without a DNS license

Problem about Export imformation to Excel

Monitoring Failure OAuth request

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS