Forum Discussion
NimbostratusF5 APM with specific not all SAML SP initiated connection issue, cause iRule execution fail, TCP reset with F5 Version 12.1.2 HF1
We have a problem with a specific SP initiated SAML request. iRule execution fail
Problem details
We have F5 APM as a IDP setup. Single IDP with multiple SP. One of the specific SP initiated connection having reset by SAML IDP iRule but all the other SAML SP initiated connection is working fine with iRule execution. The SAML IDP irule is defined for IDP initiated connection and applied in SAML VIP. The TCL error capture when we got the failure of the specific SAML request.
Jun 22 12:39:38 slot1/FDYEXLB01 err tmm1[22774]: 01220001:3: TCL error: /Common/SAML_IDP_rule - Illegal argument (line 1) (line 1) invoked from within "ACCESS::policy result" Jun 22 12:39:38 slot1/FDYEXLB01 err tmm[22774]: 01220001:3: TCL error: /Common/SAML_IDP_rule - Illegal argument (line 1) (line 1) invoked from within "ACCESS::policy result" Jun 22 12:39:39 slot1/FDYEXLB01 err tmm1[22774]: 01220001:3: TCL error: /Common/SAML_IDP_rule - Illegal argument (line 1) (line 1) invoked from within "ACCESS::policy result" Jun 22 12:39:39 slot1/FDYEXLB01 err tmm3[22774]: 01220001:3: TCL error: /Common/SAML_IDP_rule - Illegal argument (line 1) (line 1) invoked from within "ACCESS::policy result"
Daniel_W_Cirrus
Hi,
can you post you irule so that we can check it?
- jitu
Hi Daniel, Thanks for looking into this. Below is the iRule applied.
when RULE_INIT { Change to "1" to enable debugging log statements, 0 to disable set static::debug_IDP 1 }
HTTP Request used provide IdP Initiated SAML for users that have logged inwhen HTTP_REQUEST priority 30 { log local0. "HTTP Path= [HTTP::path]" log local0. "Access policy result= [ACCESS::policy result]" if {"[ACCESS::policy result]" eq "allow"} { switch -glob [string tolower [HTTP::path]] { "/staples*" { if { $static::debug_IDP } { log local0. "HTTP_REQUEST: Setting SAML start uri to staples" } HTTP::respond 302 Location "/saml/idp/res?id=/Common/Staples_IDP" return }
"/concur*" { if { $static::debug_IDP } { log local0. "HTTP_REQUEST: Setting SAML start uri to concur" } HTTP::respond 302 Location "/saml/idp/res?id=/Common/Concur_IDP" return } "/healthfitness*" { if { $static::debug_IDP } { log local0. "HTTP_REQUEST: Setting SAML start uri to healthfitness" } HTTP::respond 302 Location "/saml/idp/res?id=/Common/HealthFitness_IDP" return } } }}
ACCESS Policy Response used to provide IdP Initiated SAML for users that have not logged in yetwhen ACCESS_POLICY_COMPLETED priority 30 { switch -glob [string tolower [ACCESS::session data get session.server.landinguri]] { "/staples*" { if { $static::debug_IDP } { log local0. "ACCESS_POLICY_COMPLETED: Setting SAML start uri to staples" } ACCESS::respond 302 Location "/saml/idp/res?id=/Common/Staples_IDP" return }
"/concur*" { if { $static::debug_IDP } { log local0. "ACCESS_POLICY_COMPLETED: Setting SAML start uri to concur" } ACCESS::respond 302 Location "/saml/idp/res?id=/Common/Concur_IDP" return } "/healthfitness*" { if { $static::debug_IDP } { log local0. "ACCESS_POLICY_COMPLETED: Setting SAML start uri to healthfitness" } ACCESS::respond 302 Location "/saml/idp/res?id=/Common/HealthFitness_IDP" return } }}
Daniel_VarelaEmployee
Hi, This can cause you problems
when HTTP_REQUEST priority 30 { log local0. "HTTP Path= [HTTP::path]" log local0. "Access policy result= [ACCESS::policy result]" >>>>>>if {"[ACCESS::policy result]" eq "allow"}You should specify the sessionid from the MHRSession when using ACCESS commands in HTTP_REQUEST events (in general out of ACCESS events) otherwise you will get an error. Other option for you is do the same validation but within ACCESS_ACL_ALLOWED as it takes by default the session id evaluated in that request.
I used more this command: ACCESS::session exists -state_{allow|deny|redirect|inprogress} -sid
- jitu
Hi Daniel,
I have tried with the irule below but it is throwing error while try to initiate a session in both IDP initiated and SP initiated.
when RULE_INIT { Change to "1" to enable debugging log statements, 0 to disable set static::debug_IDP 1 }
HTTP Request used provide IdP Initiated SAML for users that have logged inwhen HTTP_REQUEST priority 30 { if { "[ACCESS::session exists -{state_allow|-state_deny|-state_redirect|-state_inprogress} -sid]" } { switch -glob [string tolower [HTTP::path]] { "/staples*" { if { $static::debug_IDP } { log local0. "HTTP_REQUEST: Setting SAML start uri to staples" } HTTP::respond 302 Location "/saml/idp/res?id=/Common/Staples_IDP" return }
"/concur*" { if { $static::debug_IDP } { log local0. "HTTP_REQUEST: Setting SAML start uri to concur" } HTTP::respond 302 Location "/saml/idp/res?id=/Common/Concur_IDP" return } "/healthfitness*" { if { $static::debug_IDP } { log local0. "HTTP_REQUEST: Setting SAML start uri to healthfitness" } HTTP::respond 302 Location "/saml/idp/res?id=/Common/HealthFitness_IDP" return } } }}
ACCESS Policy Response used to provide IdP Initiated SAML for users that have not logged in yetwhen ACCESS_POLICY_COMPLETED priority 30 { switch -glob [string tolower [ACCESS::session data get session.server.landinguri]] { "/staples*" { if { $static::debug_IDP } { log local0. "ACCESS_POLICY_COMPLETED: Setting SAML start uri to staples" } ACCESS::respond 302 Location "/saml/idp/res?id=/Common/Staples_IDP" return }
"/concur*" { if { $static::debug_IDP } { log local0. "ACCESS_POLICY_COMPLETED: Setting SAML start uri to concur" } ACCESS::respond 302 Location "/saml/idp/res?id=/Common/Concur_IDP" return } "/healthfitness*" { if { $static::debug_IDP } { log local0. "ACCESS_POLICY_COMPLETED: Setting SAML start uri to healthfitness" } ACCESS::respond 302 Location "/saml/idp/res?id=/Common/HealthFitness_IDP" return } }}
Error:
Jul 6 08:44:51 slot1/FDYEXLB01 err tmm[22774]: 01220001:3: TCL error: /Common/SAML_IDP_V4 - wrong args: should be "ACCESS::session exists [ -state_allow | -state_deny | -state_redirect | -state_inprogress ] [[-sid] ] " while executing "ACCESS::session exists -{state_allow|-state_deny|-state_redirect|-state_inprogress} -sid" Jul 6 08:44:51 slot1/FDYEXLB01 err tmm[22774]: 01220001:3: TCL error: /Common/SAML_IDP_V4 - wrong args: should be "ACCESS::session exists [ -state_allow | -state_deny | -state_redirect | -state_inprogress ] [[-sid] ] " while executing "ACCESS::session exists -{state_allow|-state_deny|-state_redirect|-state_inprogress} -sid" Jul 6 08:44:51 slot1/FDYEXLB01 err tmm[22774]: 01220001:3: TCL error: /Common/SAML_IDP_V4 - wrong args: should be "ACCESS::session exists [ -state_allow | -state_deny | -state_redirect | -state_inprogress ] [[-sid] ] " while executing "ACCESS::session exists -{state_allow|-state_deny|-state_redirect|-state_inprogress} -sid" Jul 6 08:44:51 slot1/FDYEXLB01 err tmm1[22774]: 01220001:3: TCL error: /Common/SAML_IDP_V4 - wrong args: should be "ACCESS::session exists [ -state_allow | -state_deny | -state_redirect | -state_inprogress ] [[-sid] ] " while executing "ACCESS::session exists -{state_allow|-state_deny|-state_redirect|-state_inprogress} -sid" Jul 6 08:44:51 slot1/FDYEXLB01 err tmm[22774]: 01220001:3: TCL error: /Common/SAML_IDP_V4 - wrong args: should be "ACCESS::session exists [ -state_allow | -state_deny | -state_redirect | -state_inprogress ] [[-sid] ] " while executing "ACCESS::session exists -{state_allow|-state_deny|-state_redirect|-state_inprogress} -sid" Jul 6 08:44:51 slot1/FDYEXLB01 err tmm1[22774]: 01220001:3: TCL error: /Common/SAML_IDP_V4 - wrong args: should be "ACCESS::session exists [ -state_allow | -state_deny | -state_redirect | -state_inprogress ] [[-sid] ] " while executing "ACCESS::session exists -{state_allow|-state_deny|-state_redirect|-state_inprogress} -sid" Jul 6 08:44:51 slot1/FDYEXLB01 err tmm2[22774]: 01220001:3: TCL error: /Common/SAML_IDP_V4 - wrong args: should be "ACCESS::session exists [ -state_allow | -state_deny | -state_redirect | -state_inprogress ] [[-sid] ] " while executing "ACCESS::session exists -{state_allow|-state_deny|-state_redirect|-state_inprogress} -sid" Jul 6 08:44:51 slot1/FDYEXLB01 err tmm2[22774]: 01220001:3: TCL error: /Common/SAML_IDP_V4 - wrong args: should be "ACCESS::session exists [ -state_allow | -state_deny | -state_redirect | -state_inprogress ] [[-sid] ] " while executing "ACCESS::session exists -{state_allow|-state_deny|-state_redirect|-state_inprogress} -sid" Jul 6 08:44:52 slot1/FDYEXLB01 err tmm3[22774]: 01220001:3: TCL error: /Common/SAML_IDP_V4 - wrong args: should be "ACCESS::session exists [ -state_allow | -state_deny | -state_redirect | -state_inprogress ] [[-sid] ] " while executing "ACCESS::session exists -{state_allow|-state_deny|-state_redirect|-state_inprogress} -sid" Jul 6 08:44:52 slot1/FDYEXLB01 err tmm2[22774]: 01220001:3: TCL error: /Common/SAML_IDP_V4 - wrong args: should be "ACCESS::session exists [ -state_allow | -state_deny | -state_redirect | -state_inprogress ] [[-sid] ] " while executing "ACCESS::session exists -{state_allow|-state_deny|-state_redirect|-state_inprogress} -sid"
Please let me know if I missed something. Please help here and also make sure that existing iRule is working for all IDP initiated and SP initiated except only one SP initiated connection getting drop due to the iRule
nag_54823Cirrostratus
Hi Jitu,
You need to use either state_allow or state_deny or state_redirect. You should not use all in one.
Example
when HTTP_REQUEST priority 30 { set apm_cookie [HTTP::cookie value MRHSession] if { "[ACCESS::session exists -state_allow -sid $apm_cookie]" } {
- jitu
Great advise Nag !! really appreciated. Now my SAML stuffs are working both SP initiated and IDP initiated.
I have removed the if {"[ACCESS::policy result]" eq "allow"} { by
set apm_cookie [HTTP::cookie value MRHSession] if { "[ACCESS::session exists -state_allow -sid $apm_cookie]" } {
- nag_54823
Glad to hear that it works Jitu.
- Daniel_Varela
Hi Jitu, glad it works! Sorry I just paste the command as it shows in the API documentation.
Cheers
- jitu
Thanks all of you !! have a great day.